From 763092a27859895d49ff2cdb0628f8b97918c998 Mon Sep 17 00:00:00 2001 From: librelad Date: Tue, 26 May 2026 17:48:43 +0100 Subject: [PATCH] fix(wireguard): move /etc IP-forward edit into libreportal-appcfg MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The standalone WireGuard install used to flip net.ipv4.ip_forward by appending+uncommenting `/etc/sysctl/99-custom.conf` via blanket sudo (sudo tee, sudo sed, sudo sysctl -p). Two problems with that on a de-sudoed manager: - The path is non-standard. The conventional location is /etc/sysctl.d/*.conf (drop-ins, loaded by sysctl --system) — the old file may not even exist, leaving forwarding silently off. - `sudo tee /etc` and `sudo sed -i /etc` are not in LP_SYSTEM. The manager has lost the broad sudo it once had, so this would now fail outright on every wireguard install. Add a `wireguard-ip-forward` action to libreportal-appcfg that: - writes /etc/sysctl.d/99-libreportal-wireguard.conf (a drop-in we own and rewrite idempotently), and - reloads via `sysctl --system` (with a `sysctl -p ` fallback). containers/wireguard/wireguard.sh now calls `runAppCfg wireguard-ip-forward` through the existing helper-dispatch path — the whole edit runs as root in one validated step, no `sudo` in the per-app script. Same de-sudo pattern as adguard-auth / crowdsec-priority / owncloud-config already use. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- containers/wireguard/wireguard.sh | 17 +++++------------ scripts/system/libreportal-appcfg | 25 +++++++++++++++++++++---- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/containers/wireguard/wireguard.sh b/containers/wireguard/wireguard.sh index 9005516..0b04673 100755 --- a/containers/wireguard/wireguard.sh +++ b/containers/wireguard/wireguard.sh @@ -122,18 +122,11 @@ installWireguard() echo "---- $menu_number. Enabling IP forwarding" echo "" - # Check if the setting exists, if not, add it to the file - if ! grep -q "net.ipv4.ip_forward" /etc/sysctl/99-custom.conf; then - local result=$(echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl/99-custom.conf > /dev/null) - checkSuccess "Enabling IPv4 IP Forwarding in the 99-sysctl.conf file (Kernel)" - local result=$(sudo sed -i "s/#net.ipv4.ip_forward/net.ipv4.ip_forward/g" /etc/sysctl/99-custom.conf) - checkSuccess "Enabling IPv4 IP Forwarding in the 99-sysctl.conf file (Kernel)" - else - isNotice "IPv4 IP Forwarding setting already exists in the 99-custom.conf file." - fi - - local result=$(sudo sysctl -p) - checkSuccess "Apply changes made to the System's Kernel" + # Drop in /etc/sysctl.d/99-libreportal-wireguard.conf + reload — the + # whole thing runs as root through libreportal-appcfg so the manager + # never needs blanket /etc write or `sudo sysctl` itself. + local result=$(runAppCfg wireguard-ip-forward) + checkSuccess "Enabling IPv4 IP Forwarding (sysctl drop-in + reload)" ((menu_number++)) echo "" diff --git a/scripts/system/libreportal-appcfg b/scripts/system/libreportal-appcfg index 2baffb9..a72fd32 100644 --- a/scripts/system/libreportal-appcfg +++ b/scripts/system/libreportal-appcfg @@ -52,6 +52,22 @@ adguard_auth() { rm -f "$tmp" } +# --- WireGuard: enable IPv4 ip_forward via a sysctl drop-in -------------------- +# The container needs the host kernel to forward packets between WG and the LAN. +# Lays down a conventional /etc/sysctl.d drop-in (idempotent overwrite) and asks +# the kernel to reload — avoids the legacy `/etc/sysctl/99-custom.conf` path +# (non-standard, may not exist) the old wireguard.sh edited via blanket sudo. +wireguard_ip_forward() { + local dropin="/etc/sysctl.d/99-libreportal-wireguard.conf" + cat > "$dropin" <<'EOF' +# Enable IPv4 forwarding for the LibrePortal WireGuard container. +# Managed by libreportal-appcfg wireguard-ip-forward. +net.ipv4.ip_forward=1 +EOF + chmod 0644 "$dropin" + sysctl --system >/dev/null 2>&1 || sysctl -p "$dropin" >/dev/null 2>&1 || true +} + # --- CrowdSec: set nftables ipv4/ipv6 priority to -100 in the bouncer yaml ------ crowdsec_priority() { local cfg="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml" @@ -126,8 +142,9 @@ EOL action="${1:-}"; shift 2>/dev/null || true case "$action" in - adguard-auth) adguard_auth "${1:-}" "${2:-}" ;; - crowdsec-priority) crowdsec_priority ;; - owncloud-config) owncloud_config "${1:-}" "${2:-}" "${3:-}" "${4:-}" ;; - *) echo "usage: libreportal-appcfg {adguard-auth |crowdsec-priority|owncloud-config }" >&2; exit 2 ;; + adguard-auth) adguard_auth "${1:-}" "${2:-}" ;; + crowdsec-priority) crowdsec_priority ;; + owncloud-config) owncloud_config "${1:-}" "${2:-}" "${3:-}" "${4:-}" ;; + wireguard-ip-forward) wireguard_ip_forward ;; + *) echo "usage: libreportal-appcfg {adguard-auth |crowdsec-priority|owncloud-config |wireguard-ip-forward}" >&2; exit 2 ;; esac