feat: enhance AWG2 protocol handling by adding config directory management and fixing empty peer block in install script
This commit is contained in:
infosave2007
@@ -1093,6 +1093,10 @@ class InstallProtocolManager
|
|||||||
$metadata = $protocol['definition']['metadata'] ?? [];
|
$metadata = $protocol['definition']['metadata'] ?? [];
|
||||||
$serverData = $server->getData();
|
$serverData = $server->getData();
|
||||||
$containerName = $serverData['container_name'] ?? ($metadata['container_name'] ?? 'amnezia-awg');
|
$containerName = $serverData['container_name'] ?? ($metadata['container_name'] ?? 'amnezia-awg');
|
||||||
|
$configDir = trim((string) ($metadata['config_dir'] ?? ''));
|
||||||
|
if ($configDir === '') {
|
||||||
|
$configDir = (($protocol['slug'] ?? '') === 'awg2') ? '/opt/amnezia/awg2' : '/opt/amnezia/awg';
|
||||||
|
}
|
||||||
$candidateNames = array_values(array_unique(array_filter([
|
$candidateNames = array_values(array_unique(array_filter([
|
||||||
is_string($containerName) ? trim($containerName) : '',
|
is_string($containerName) ? trim($containerName) : '',
|
||||||
is_string($metadata['container_name'] ?? null) ? trim((string) $metadata['container_name']) : '',
|
is_string($metadata['container_name'] ?? null) ? trim((string) $metadata['container_name']) : '',
|
||||||
@@ -1111,10 +1115,11 @@ class InstallProtocolManager
|
|||||||
$server->executeCommand("docker rm -fv {$arg} 2>/dev/null || true", true);
|
$server->executeCommand("docker rm -fv {$arg} 2>/dev/null || true", true);
|
||||||
}
|
}
|
||||||
// Remove known images (best-effort)
|
// Remove known images (best-effort)
|
||||||
$server->executeCommand("docker rmi amneziavpn/amnezia-wg amneziavpn/amnezia-awg 2>/dev/null || true", true);
|
$server->executeCommand("docker rmi amneziavpn/amnezia-wg amneziavpn/amnezia-awg amnezia-awg2 2>/dev/null || true", true);
|
||||||
// Attempt to remove amnezia-dns-net network if present (best-effort)
|
// Attempt to remove amnezia-dns-net network if present (best-effort)
|
||||||
$server->executeCommand("docker network rm amnezia-dns-net 2>/dev/null || true", true);
|
$server->executeCommand("docker network rm amnezia-dns-net 2>/dev/null || true", true);
|
||||||
// Remove on-disk data for AWG
|
// Remove on-disk data for AWG protocol config to avoid stale restore paths.
|
||||||
|
$server->executeCommand("rm -rf " . escapeshellarg($configDir) . " 2>/dev/null || true", true);
|
||||||
$server->executeCommand("rm -rf /opt/amnezia/amnezia-awg 2>/dev/null || true", true);
|
$server->executeCommand("rm -rf /opt/amnezia/amnezia-awg 2>/dev/null || true", true);
|
||||||
|
|
||||||
// Clear server deployment metadata in database for this server
|
// Clear server deployment metadata in database for this server
|
||||||
|
|||||||
+15
-12
@@ -675,17 +675,9 @@ class VpnClient
|
|||||||
private static function generateClientKeys(array $serverData, string $clientName): array
|
private static function generateClientKeys(array $serverData, string $clientName): array
|
||||||
{
|
{
|
||||||
$containerName = $serverData['container_name'];
|
$containerName = $serverData['container_name'];
|
||||||
$token = bin2hex(random_bytes(8));
|
|
||||||
|
|
||||||
$cmd = sprintf(
|
$cmd = sprintf(
|
||||||
"docker exec -i %s sh -c \"umask 077; wg genkey | tee /tmp/%s_priv.key | wg pubkey > /tmp/%s_pub.key; cat /tmp/%s_priv.key; echo '---'; cat /tmp/%s_pub.key; rm -f /tmp/%s_priv.key /tmp/%s_pub.key\"",
|
"docker exec -i %s sh -lc 'set -e; umask 077; priv=$(wg genkey); pub=$(printf %s \"$priv\" | wg pubkey); printf \"%%s\\n---\\n%%s\\n\" \"$priv\" \"$pub\"'",
|
||||||
$containerName,
|
escapeshellarg($containerName)
|
||||||
$token,
|
|
||||||
$token,
|
|
||||||
$token,
|
|
||||||
$token,
|
|
||||||
$token,
|
|
||||||
$token
|
|
||||||
);
|
);
|
||||||
|
|
||||||
$escaped = escapeshellarg($cmd);
|
$escaped = escapeshellarg($cmd);
|
||||||
@@ -705,9 +697,15 @@ class VpnClient
|
|||||||
throw new Exception("Failed to generate client keys");
|
throw new Exception("Failed to generate client keys");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$private = trim((string) $parts[0]);
|
||||||
|
$public = trim((string) $parts[1]);
|
||||||
|
if ($private === '' || $public === '') {
|
||||||
|
throw new Exception('Failed to generate client keys: empty key output');
|
||||||
|
}
|
||||||
|
|
||||||
return [
|
return [
|
||||||
'private' => trim($parts[0]),
|
'private' => $private,
|
||||||
'public' => trim($parts[1])
|
'public' => $public
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -984,6 +982,11 @@ class VpnClient
|
|||||||
{
|
{
|
||||||
$containerName = $serverData['container_name'];
|
$containerName = $serverData['container_name'];
|
||||||
$presharedKey = $serverData['preshared_key'];
|
$presharedKey = $serverData['preshared_key'];
|
||||||
|
$publicKey = trim($publicKey);
|
||||||
|
|
||||||
|
if ($publicKey === '') {
|
||||||
|
throw new Exception('Refusing to add client with empty public key');
|
||||||
|
}
|
||||||
|
|
||||||
// 1. Create temp file for PSK (to avoid shell escaping issues)
|
// 1. Create temp file for PSK (to avoid shell escaping issues)
|
||||||
$pskFile = '/tmp/' . bin2hex(random_bytes(8)) . '.psk';
|
$pskFile = '/tmp/' . bin2hex(random_bytes(8)) . '.psk';
|
||||||
|
|||||||
@@ -119,11 +119,6 @@ H3 = $H3_VAL
|
|||||||
H4 = $H4_VAL
|
H4 = $H4_VAL
|
||||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||||
|
|
||||||
[Peer]
|
|
||||||
PublicKey =
|
|
||||||
PresharedKey = $PRESHARED_KEY
|
|
||||||
AllowedIPs = 10.8.1.2/32
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
echo "$PRIVATE_KEY" > /opt/amnezia/awg2/wireguard_server_private_key.key
|
echo "$PRIVATE_KEY" > /opt/amnezia/awg2/wireguard_server_private_key.key
|
||||||
@@ -310,11 +305,6 @@ H3 = $H3_VAL
|
|||||||
H4 = $H4_VAL
|
H4 = $H4_VAL
|
||||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||||
|
|
||||||
[Peer]
|
|
||||||
PublicKey =
|
|
||||||
PresharedKey = $PRESHARED_KEY
|
|
||||||
AllowedIPs = 10.8.1.2/32
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
echo "$PRIVATE_KEY" > /opt/amnezia/awg2/wireguard_server_private_key.key
|
echo "$PRIVATE_KEY" > /opt/amnezia/awg2/wireguard_server_private_key.key
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
-- Remove invalid empty peer block from AWG2 install script.
|
||||||
|
-- The old script generated wg0.conf with:
|
||||||
|
-- [Peer]
|
||||||
|
-- PublicKey =
|
||||||
|
-- which causes awg setconf parse errors and restart loops.
|
||||||
|
|
||||||
|
UPDATE protocols
|
||||||
|
SET install_script = REPLACE(
|
||||||
|
install_script,
|
||||||
|
'\n[Peer]\nPublicKey = \nPresharedKey = $PRESHARED_KEY\nAllowedIPs = 10.8.1.2/32\n',
|
||||||
|
'\n'
|
||||||
|
)
|
||||||
|
WHERE slug = 'awg2'
|
||||||
|
AND install_script LIKE '%[Peer]%PublicKey = %PresharedKey = $PRESHARED_KEY%AllowedIPs = 10.8.1.2/32%';
|
||||||
Reference in New Issue
Block a user