alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Alex Zaw
2026-01-17 08:49:44 +00:00
parent 529842a411
commit 4c067c14d8
1 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
apps/rego-tunnel/shared/host-routing.sh
View File

@@ -11,6 +11,8 @@ ACTION="${1:-start}"
CONTAINER_IP="172.31.0.10" CONTAINER_IP="172.31.0.10"
BRIDGE_NAME="br-rego-vpn" BRIDGE_NAME="br-rego-vpn"
TARGET_IP="${TARGET_IP:-10.35.33.230}" TARGET_IP="${TARGET_IP:-10.35.33.230}"
LAN_SUBNET="192.168.0.0/23"
LAN_INTERFACES="eth0 eth1 wlan0"
LOG_FILE="/var/log/rego-routing.log" LOG_FILE="/var/log/rego-routing.log"
log() { log() {
@@ -50,8 +52,10 @@ apply_routes() {
ip route replace "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" ip route replace "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME" log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME"
# Allow forwarding in DOCKER-USER chain (if LAN interface detected) # Allow forwarding in DOCKER-USER chain for all LAN interfaces
if [[ -n "$lan_if" ]]; then for lan_if in $LAN_INTERFACES; do
# Check if interface exists
if ip link show "$lan_if" &>/dev/null; then
# Allow traffic from LAN to container for TARGET_IP # Allow traffic from LAN to container for TARGET_IP
iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \ iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
@@ -61,27 +65,31 @@ apply_routes() {
iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME" log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
else
log "WARN: Could not detect LAN interface, skipping DOCKER-USER rules"
fi fi
done
# Masquerade traffic from LAN subnet to VPN bridge (so return traffic routes correctly)
iptables -t nat -C POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE 2>/dev/null || \
iptables -t nat -A POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE
log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)" log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)"
} }
remove_all() { remove_all() {
local lan_if
lan_if="$(get_lan_interface)"
log "Removing all routing rules..." log "Removing all routing rules..."
# Remove route # Remove route
ip route del "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true ip route del "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
# Remove iptables rules # Remove iptables rules for all LAN interfaces
if [[ -n "$lan_if" ]]; then for lan_if in $LAN_INTERFACES; do
iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
fi done
# Remove masquerade rule
iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE 2>/dev/null || true
log "All routing rules removed" log "All routing rules removed"
} }