revert(cistech-tunnel): restore to original working state at a7691b1

- Removed shared/ folder (host routing scripts) - Restored original config.json, docker-compose.json - Restored original Dockerfile and entrypoint.sh Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 11:30:34 +00:00
parent f410510a7f
commit 4fd8688685
7 changed files with 34 additions and 296 deletions
--- a/apps/cistech-tunnel/shared/host-routing.sh
+++ b/apps/cistech-tunnel/shared/host-routing.sh
@@ -1,123 +0,0 @@
-#!/usr/bin/env bash
-#
-# Host routing script for cistech-tunnel
-# Routes target subnets through the VPN container
-#
-set -euo pipefail
-
-ACTION="${1:-start}"
-
-# Fixed configuration
-CONTAINER_IP="172.30.0.10"
-BRIDGE_NAME="br-vpn-static"
-TARGET_SUBNETS="10.3.1.0/24 10.255.255.0/24"
-LAN_SUBNET="192.168.0.0/23"
-LAN_INTERFACES="eth0 eth1 wlan0"
-LOG_FILE="/var/log/cistech-routing.log"
-
-log() {
-    local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [cistech-routing] $*"
-    echo "$msg" | tee -a "$LOG_FILE" >&2
-}
-
-get_lan_interface() {
-    ip route show default | awk '/default/ {for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -1
-}
-
-remove_routes() {
-    log "Removing stale routes..."
-    for subnet in $TARGET_SUBNETS; do
-        ip route del "$subnet" 2>/dev/null || true
-    done
-    log "Stale routes removed"
-}
-
-apply_routes() {
-    local lan_if
-    lan_if="$(get_lan_interface)"
-
-    log "Applying host routing rules..."
-    log "  Container IP: $CONTAINER_IP"
-    log "  Bridge: $BRIDGE_NAME"
-    log "  Target subnets: $TARGET_SUBNETS"
-    log "  LAN interface: ${lan_if:-unknown}"
-
-    # Enable IP forwarding
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-    log "IP forwarding enabled"
-
-    # Add routes to target subnets via container
-    for subnet in $TARGET_SUBNETS; do
-        ip route replace "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
-        log "Route added: $subnet via $CONTAINER_IP dev $BRIDGE_NAME"
-    done
-
-    # Allow forwarding in DOCKER-USER chain for all LAN interfaces
-    for lan_if in $LAN_INTERFACES; do
-        if ip link show "$lan_if" &>/dev/null; then
-            # Allow traffic from LAN to container bridge
-            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || \
-                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT
-
-            # Allow return traffic
-            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
-                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-            log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
-        fi
-    done
-
-    # Masquerade traffic from LAN subnet to VPN bridge (using nft)
-    if ! nft list chain ip nat POSTROUTING 2>/dev/null | grep -q "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade"; then
-        nft add rule ip nat POSTROUTING ip saddr "$LAN_SUBNET" oifname "$BRIDGE_NAME" counter masquerade
-        log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
-    else
-        log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
-    fi
-
-    log "OK: Host routing applied"
-}
-
-remove_all() {
-    log "Removing all routing rules..."
-
-    # Remove routes
-    for subnet in $TARGET_SUBNETS; do
-        ip route del "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
-    done
-
-    # Remove iptables rules for all LAN interfaces
-    for lan_if in $LAN_INTERFACES; do
-        iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || true
-        iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-    done
-
-    # Remove masquerade rule (using nft)
-    local handle
-    handle=$(nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade" | grep -oP 'handle \K\d+' | head -1)
-    if [ -n "$handle" ]; then
-        nft delete rule ip nat POSTROUTING handle "$handle" 2>/dev/null || true
-    fi
-
-    log "All routing rules removed"
-}
-
-case "$ACTION" in
-    start)
-        remove_routes
-        apply_routes
-        ;;
-    stop)
-        remove_all
-        ;;
-    restart)
-        remove_all
-        sleep 1
-        remove_routes
-        apply_routes
-        ;;
-    *)
-        echo "Usage: $0 {start|stop|restart}" >&2
-        exit 2
-        ;;
-esac