Skip to content

Commit

Permalink
[feature] Added support for WireGuard and VXLAN #225
Browse files Browse the repository at this point in the history
Added two images:
 - wireguard: image that runs WireGuard and VXLAN server
 - wireguard_updater: image that runs a Flask app that is
   used for triggering configuration update for WireGuard
   and VXLAN server

Closes #225
  • Loading branch information
pandafy committed Jul 5, 2022
1 parent 812733d commit 3c0257c
Show file tree
Hide file tree
Showing 20 changed files with 643 additions and 13 deletions.
5 changes: 5 additions & 0 deletions .env
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
DASHBOARD_DOMAIN=dashboard.openwisp.org
API_DOMAIN=api.openwisp.org
VPN_DOMAIN=openvpn.openwisp.org
WIREGUARD_UPDATER_DOMAIN=wireguard-updater.openwisp.org
EMAIL_DJANGO_DEFAULT=[email protected]
DB_USER=admin
DB_PASS=admin
Expand Down Expand Up @@ -42,6 +43,10 @@ X509_COMMON_NAME=OpenWISP
# VPN
VPN_NAME=default
VPN_CLIENT_NAME=default-management-vpn
# WireGuard
WIREGUARD_UPDATER_PORT=8081
WIREGUARD_UPDATER_ENDPOINT=/trigger-update
WIREGUARD_UPDATER_KEY=openwisp-wireguard-updater-auth-key
# Developer
DEBUG_MODE=False
DJANGO_LOG_LEVEL=INFO
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ jobs:

- name: Setup
run: |
echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org" | sudo tee -a /etc/hosts
echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org wireguard-updater.openwisp.org" |
sudo tee -a /etc/hosts
- name: Build & Publish
run: make publish TAG=edge || (docker-compose logs && exit 1)
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@ TAG = latest
publish: compose-build runtests nfs-build
for image in 'openwisp-base' 'openwisp-nfs' 'openwisp-api' 'openwisp-dashboard' \
'openwisp-freeradius' 'openwisp-nginx' 'openwisp-openvpn' 'openwisp-postfix' \
'openwisp-websocket' ; do \
'openwisp-celelery' 'openwisp-websocket' 'openwisp-wireguard' \
'openwisp-wireguard-updater' ; do \
docker tag openwisp/$${image}:latest $(USER)/$${image}:$(TAG); \
docker push $(USER)/$${image}:$(TAG); \
docker rmi $(USER)/$${image}:$(TAG); \
Expand Down
18 changes: 12 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ The sample files for deployment on kubernetes are available in the `deploy/examp
- [Quick Setup](#quick-setup)
- [Compose](#compose)
- [Kubernetes](#kubernetes)
- [Deploying WireGuard VPN](#deploying-wireguard-vpn)
- [Customization](#customization)
- [Custom Django Settings](#custom-django-settings)
- [Custom Styles and JavaScript](#custom-styles-and-javascript)
Expand All @@ -30,6 +31,7 @@ The sample files for deployment on kubernetes are available in the `deploy/examp
- [Development](#development)
- [Workbench setup](#workbench-setup)
- [Runtests](#runtests)
- [Run Quality Assurance Checks](#run-quality-assurance-checks)
- [Usage](#usage)
- [Makefile Options](#makefile-options)

Expand Down Expand Up @@ -112,6 +114,10 @@ by the images:
- startup probe example: `test $(ps aux | grep -c uwsgi) -ge 2`
- readiness probe example: `python services.py uwsgi_status "127.0.0.1:8001"`

### Deploying WireGuard VPN

Follow this detailed [step-by-step guide for deploying the WireGuard VPN](docs/tutorials/deploying-wireguard-vpn.md).

## Customization

The following commands will create the directory structure required for
Expand Down Expand Up @@ -244,7 +250,7 @@ If you want to disable a service, you can simply remove the container for that s
- Default username & password are `admin`.
- Default domains are: `dashboard.openwisp.org` and `api.openwisp.org`.
- To reach the dashboard you may need to add the openwisp domains set in your `.env` to your `hosts` file,
example: `bash -c 'echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org" >> /etc/hosts'`
example: `bash -c 'echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org wireguard-updater.openwisp.org" >> /etc/hosts'`
- Now you'll need to do steps (2) everytime you make a changes and want to build the images again.
- If you want to perform actions like cleaning everything produced by `docker-openwisp`,
please use the [makefile options](#makefile-options).
Expand All @@ -257,15 +263,15 @@ You can run tests either with `geckodriver` (firefox) or `chromedriver` (chromiu

- Setup chromedriver

1. Install chromium:
1. Install chromium:

```bash
# On debian
# On debian
sudo apt --yes install chromium
# On ubuntu
# On ubuntu
sudo apt --yes install chromium-browser
```

3. Check version: `chromium --version`
4. Install Driver for your version: [`https://chromedriver.chromium.org/downloads`](https://chromedriver.chromium.org/downloads)
5. Extract chromedriver to one of directories from your `$PATH`. (example: `/usr/bin/`)
Expand Down
55 changes: 52 additions & 3 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,11 @@ services:
- dashboard

celery:
image: openwisp/openwisp-dashboard:latest
image: openwisp/openwisp-celery:latest
restart: always
build:
context: images
dockerfile: openwisp_celery/Dockerfile
environment:
- MODULE_NAME=celery
volumes:
Expand All @@ -72,8 +75,11 @@ services:
- dashboard

celery_monitoring:
image: openwisp/openwisp-dashboard:latest
image: openwisp/openwisp-celery:latest
restart: always
build:
context: images
dockerfile: openwisp_celery/Dockerfile
environment:
- MODULE_NAME=celery_monitoring
volumes:
Expand All @@ -87,8 +93,8 @@ services:
- dashboard

celerybeat:
image: openwisp/openwisp-dashboard:latest
restart: always
image: openwisp/openwisp-celery:latest
environment:
- MODULE_NAME=celerybeat
env_file:
Expand Down Expand Up @@ -118,13 +124,15 @@ services:
aliases:
- dashboard.internal
- api.internal
- wireguard_updater.internal
ports:
- "80:80"
- "443:443"
depends_on:
- dashboard
- api
- websocket
- wireguard_updater

freeradius:
image: openwisp/openwisp-freeradius:latest
Expand Down Expand Up @@ -168,6 +176,47 @@ services:
cap_add:
- NET_ADMIN

wireguard:
image: openwisp/openwisp-wireguard:latest
build:
context: images
dockerfile: openwisp_wireguard/Dockerfile
env_file:
- .env
environment:
# Substitute the placeholder values with the UUID and Key
# of the VPN server.
# These variables needs to be configured on individual
# container to avoid conflicts between multiple VPN servers.
- WIREGUARD_VPN_UUID=ENTER_WIREGUARD_VPN_UUID
- WIREGUARD_VPN_KEY=ENTER_WIREGUARD_VPN_KEY
# Maps the default UDP port (51820) for WireGuard VPN traffic.
# Update this this if you are using different port for WireGuard.
ports:
- 51820:51820/udp
# Following properties allow WireGuard to manage network on the
# machine while running in a container.
volumes:
- /lib/modules:/lib/modules
cap_add:
- NET_ADMIN
- SYS_MODULE

wireguard_updater:
image: openwisp/openwisp-wireguard-updater:latest
build:
context: images
dockerfile: openwisp_wireguard_updater/Dockerfile
args:
WIREGUARD_UPDATER_APP_PORT: 8081
env_file:
- .env
environment:
# Create an authentication token consisting alphanumeric
# characters. This token will be used by OpenWISP for
# triggering configuration updates.
- WIREGUARD_UPDATER_KEY=openwisp-wireguard-updater-auth-key

postgres:
image: mdillon/postgis:11-alpine
restart: always
Expand Down
59 changes: 59 additions & 0 deletions docs/ENV.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ Following are the options that can be changed. The list is divided in following
- [uWSGI](#uWSGI): uWSGI configurations.
- [Nginx](#Nginx): Nginx configurations.
- [VPN](#VPN): Default VPN and VPN template related configurations.
- [WireGuard](#WireGuard): WireGuard VPN configurations.
- [WireGuard Updater](#WireGuard-Updater): WireGuard Updater app configurations.
- [X509](#X509): Default certificate & certicate Authority configuration options.
- [Host](#Hosts): Want to change the host of a particular service? Like pointing all the containers to a different database service.
- [Developer](#Developer): DON'T change these values unless you know what you are doing.
Expand Down Expand Up @@ -661,6 +663,56 @@ Any OpenWISP Configuration of type `string`. `int`, `bool` or `json` is supporte
- **Valid Values:** STRING
- **Default:** default-management-vpn

## WireGuard

**Note:** If you have more that one WireGuard container, then these
settings should be configured on individual container.

### `WIREGUARD_VPN_UUID`

- **Explanation:** ``UUID`` of the WireGuard VPN server object created on the OpenWISP dashboard.
- **Valid Values:** STRING

### `WIREGUARD_VPN_KEY`

- **Explanation:** ``Key`` of the WireGuard VPN server object created on the OpenWISP dashboard.
- **Valid Values:** STRING

## WireGuard Updater

### `WIREGUARD_UPDATER_KEY`

- **Explanation:** The authentication token required to trigger the configuration
updater. It is strongly recommended to change this before deploying the container.
- **Valid Values:** STRING
- **Default:** openwisp-wireguard-updater-auth-key

### `WIREGUARD_UPDATER_DOMAIN`

- **Explanation:** Valid domain / IP address to reach the WireGuard updater application.
- **Valid Values:** Domain
- **Default:** wireguard-updater.openwisp.org

### `WIREGUARD_UPDATER_APP_PORT`

- **Explanation:** Change the port on which NGINX connects to the updater app on the WireGuard updater container. Don't change unless you know what you are doing.
- **Valid Values:** INTEGER
- **Default:** 8081

### `WIREGUARD_UPDATER_ENDPOINT`

- **Explanation:** The endpoint used for triggering updates to configuration of
WireGuard tunnels. It should lead with a slash (`/`). Don't change unless
you know what you are doing.
- **Valid Values:** STRING
- **Default:** /trigger-update

### `WIREGUARD_UPDATER_APP_SERVICE`

- **Explanation:** Host to establish WireGuard updater connection.
- **Valid Values:** Domain | IP address
- **Default:** wireguard_updater

## X509

### `X509_NAME_CA`
Expand Down Expand Up @@ -788,6 +840,13 @@ Any OpenWISP Configuration of type `string`. `int`, `bool` or `json` is supporte
- **Valid Values:** STRING
- **Default:** api.internal

### `WIREGUARD_UPDATER_INTERNAL`

- **Explanation:** Internal domain to reach the WireGuard updater app
from other containers.
- **Valid Values:** STRING
- **Default:** wireguard_updater.internal

### `POSTFIX_DEBUG_MYNETWORKS`

- **Explanation:** Set debug_peer_list for given list of networks.
Expand Down
Binary file added docs/images/wireguard-config-update.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 3c0257c

Please sign in to comment.