auracaster/castbox-provisioning
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: fix WireGuard AllowedIPs to preserve local network access

Browse Source 
- Added rewrite_allowed_ips() to replace 0.0.0.0/0 with VPN CIDR in WireGuard configs
- Modified step_wireguard_provision() to rewrite AllowedIPs before deploying config
- Removed TODO comment about VPN blocking local network access
This commit is contained in:
pstruebi
2025-12-17 18:29:10 +01:00
parent ea8b9639da
commit 99c9667792
1 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/provision.py
View File

@@ -23,6 +23,25 @@ SSH_KEY = os.getenv("SSH_KEY") or None # path or None
PROVISION_LOG = os.getenv("PROVISION_LOG") or str((Path(__file__).resolve().parent / "provision.log")) PROVISION_LOG = os.getenv("PROVISION_LOG") or str((Path(__file__).resolve().parent / "provision.log"))
def rewrite_allowed_ips(config_text: str, allowed_cidr: str = None) -> str:
"""Rewrite AllowedIPs in a WireGuard config to only route VPN traffic.
By default, wg-easy generates configs with AllowedIPs = 0.0.0.0/0 which routes
ALL traffic through the VPN, making the device unreachable on the local network.
This rewrites it to only route traffic destined for the VPN network.
"""
if allowed_cidr is None:
allowed_cidr = POOL_CIDR
# Replace AllowedIPs = 0.0.0.0/0 (and optional ::/0 for IPv6) with just the VPN CIDR
# Handles various formats: "0.0.0.0/0", "0.0.0.0/0, ::/0", "0.0.0.0/0,::/0"
config_text = re.sub(
r"(AllowedIPs\s*=\s*)0\.0\.0\.0/0[^\n]*",
rf"\g<1>{allowed_cidr}",
config_text
)
return config_text
def scp_and_enable(ssh_host, config_text): def scp_and_enable(ssh_host, config_text):
tmp = Path(tempfile.gettempdir()) / f"{WG_IFACE}.conf" tmp = Path(tempfile.gettempdir()) / f"{WG_IFACE}.conf"
tmp.write_text(config_text) tmp.write_text(config_text)
@@ -99,6 +118,8 @@ def step_wireguard_provision(iot_host: str, client_name: str):
name = client_name name = client_name
base, auth = get_env_auth() base, auth = get_env_auth()
cid, iface, cfg = ensure_client_and_config(base, auth, name) cid, iface, cfg = ensure_client_and_config(base, auth, name)
# Rewrite AllowedIPs to only route VPN traffic, preserving local network access
cfg = rewrite_allowed_ips(cfg, POOL_CIDR)
scp_and_enable(iot_host, cfg) scp_and_enable(iot_host, cfg)
return {"wg_name": name, "wg_iface": iface} return {"wg_name": name, "wg_iface": iface}
@@ -393,7 +414,7 @@ def main():
"pull", "pull",
"hostname", "hostname",
"mac", "mac",
"wg", # TODO: after wiregurd setup a device was only reachable via vpn not in local network - fix this "wg",
"update_app", "update_app",
"start_app", "start_app",
"finish" "finish"