fix(wireguard): move /etc IP-forward edit into libreportal-appcfg

The standalone WireGuard install used to flip net.ipv4.ip_forward by
appending+uncommenting `/etc/sysctl/99-custom.conf` via blanket sudo
(sudo tee, sudo sed, sudo sysctl -p). Two problems with that on a
de-sudoed manager:
  - The path is non-standard. The conventional location is
    /etc/sysctl.d/*.conf (drop-ins, loaded by sysctl --system) — the
    old file may not even exist, leaving forwarding silently off.
  - `sudo tee /etc` and `sudo sed -i /etc` are not in LP_SYSTEM. The
    manager has lost the broad sudo it once had, so this would now
    fail outright on every wireguard install.

Add a `wireguard-ip-forward` action to libreportal-appcfg that:
  - writes /etc/sysctl.d/99-libreportal-wireguard.conf (a drop-in we
    own and rewrite idempotently), and
  - reloads via `sysctl --system` (with a `sysctl -p <dropin>` fallback).

containers/wireguard/wireguard.sh now calls `runAppCfg wireguard-ip-forward`
through the existing helper-dispatch path — the whole edit runs as root
in one validated step, no `sudo` in the per-app script.

Same de-sudo pattern as adguard-auth / crowdsec-priority / owncloud-config
already use.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-26 17:48:43 +01:00
parent 53c6b7fe1c
commit 763092a278
2 changed files with 26 additions and 16 deletions

View File

@ -122,18 +122,11 @@ installWireguard()
echo "---- $menu_number. Enabling IP forwarding" echo "---- $menu_number. Enabling IP forwarding"
echo "" echo ""
# Check if the setting exists, if not, add it to the file # Drop in /etc/sysctl.d/99-libreportal-wireguard.conf + reload — the
if ! grep -q "net.ipv4.ip_forward" /etc/sysctl/99-custom.conf; then # whole thing runs as root through libreportal-appcfg so the manager
local result=$(echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl/99-custom.conf > /dev/null) # never needs blanket /etc write or `sudo sysctl` itself.
checkSuccess "Enabling IPv4 IP Forwarding in the 99-sysctl.conf file (Kernel)" local result=$(runAppCfg wireguard-ip-forward)
local result=$(sudo sed -i "s/#net.ipv4.ip_forward/net.ipv4.ip_forward/g" /etc/sysctl/99-custom.conf) checkSuccess "Enabling IPv4 IP Forwarding (sysctl drop-in + reload)"
checkSuccess "Enabling IPv4 IP Forwarding in the 99-sysctl.conf file (Kernel)"
else
isNotice "IPv4 IP Forwarding setting already exists in the 99-custom.conf file."
fi
local result=$(sudo sysctl -p)
checkSuccess "Apply changes made to the System's Kernel"
((menu_number++)) ((menu_number++))
echo "" echo ""

View File

@ -52,6 +52,22 @@ adguard_auth() {
rm -f "$tmp" rm -f "$tmp"
} }
# --- WireGuard: enable IPv4 ip_forward via a sysctl drop-in --------------------
# The container needs the host kernel to forward packets between WG and the LAN.
# Lays down a conventional /etc/sysctl.d drop-in (idempotent overwrite) and asks
# the kernel to reload — avoids the legacy `/etc/sysctl/99-custom.conf` path
# (non-standard, may not exist) the old wireguard.sh edited via blanket sudo.
wireguard_ip_forward() {
local dropin="/etc/sysctl.d/99-libreportal-wireguard.conf"
cat > "$dropin" <<'EOF'
# Enable IPv4 forwarding for the LibrePortal WireGuard container.
# Managed by libreportal-appcfg wireguard-ip-forward.
net.ipv4.ip_forward=1
EOF
chmod 0644 "$dropin"
sysctl --system >/dev/null 2>&1 || sysctl -p "$dropin" >/dev/null 2>&1 || true
}
# --- CrowdSec: set nftables ipv4/ipv6 priority to -100 in the bouncer yaml ------ # --- CrowdSec: set nftables ipv4/ipv6 priority to -100 in the bouncer yaml ------
crowdsec_priority() { crowdsec_priority() {
local cfg="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml" local cfg="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
@ -126,8 +142,9 @@ EOL
action="${1:-}"; shift 2>/dev/null || true action="${1:-}"; shift 2>/dev/null || true
case "$action" in case "$action" in
adguard-auth) adguard_auth "${1:-}" "${2:-}" ;; adguard-auth) adguard_auth "${1:-}" "${2:-}" ;;
crowdsec-priority) crowdsec_priority ;; crowdsec-priority) crowdsec_priority ;;
owncloud-config) owncloud_config "${1:-}" "${2:-}" "${3:-}" "${4:-}" ;; owncloud-config) owncloud_config "${1:-}" "${2:-}" "${3:-}" "${4:-}" ;;
*) echo "usage: libreportal-appcfg {adguard-auth <user> <bcrypt>|crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>}" >&2; exit 2 ;; wireguard-ip-forward) wireguard_ip_forward ;;
*) echo "usage: libreportal-appcfg {adguard-auth <user> <bcrypt>|crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>|wireguard-ip-forward}" >&2; exit 2 ;;
esac esac