Allow TCP & UDP connections, Fly.io & examples

Dockerfile

@@ -18,10 +18,13 @@ RUN \
     iptables \
     iputils-ping \
     net-tools \
+    rinetd \
     openresolv \
     procps \
     wireguard-tools && \
   update-alternatives --set iptables /usr/sbin/iptables-legacy && \
+  update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy && \
+  update-alternatives --set ip6tables /usr/sbin/ip6tables-nft && \
   apt autoremove -y && \
   rm -rf \
     /tmp/* \

README.md

@@ -95,6 +95,8 @@ Note: if you have a firewall in front of your server you will need to allow conn
 Once started you should be able to access both nginx servers via their exposed ports on the WireGuard server, for example:  
 `wireguard-server.example.com:8080` and `wireguard-server.example.com:8081`
 
-You may want to combine the WireGuard tunnel server with [Traefik](example-tls-traefik.md) or [Nginx Proxy Manager](https://nginxproxymanager.com/) to automatically provision TLS/HTTPS certificates.
+You may want to combine the WireGuard tunnel server with [Traefik](example-tls-traefik.md) or [Nginx Proxy Manager](https://nginxproxymanager.com/) or use a 3rd party service such as [Fly.io](example-tls-fly-io.md).
 
-For a full example see [using Docker WireGuard Tunnel with Traefik](example-tls-traefik.md).
+Examples using Docker WireGuard Tunnel with:
+* [Traefik](example-tls-traefik.md) to automatically provision TLS/HTTPS certificates
+* [Fly.io](example-tls-fly-io.md) to provision a free server, subdomain and TLS/HTTPS certificates

example-tls-fly-io.md

@@ -0,0 +1,114 @@
+# Example using Docker WireGuard Tunnel with Fly.io
+
+[Fly.io](https://fly.io/) is a platform to deploy app servers. Their free allowance is quite generous and works with Docker WireGuard Tunnels.
+
+This assumes that you have already setup [Fly.io account](https://fly.io/), have [installed their command line tool](https://fly.io/docs/hands-on/install-flyctl/) and have entered your credit card details on your Fly.io account (they wont charge unless you [exceed their free allowances](https://fly.io/docs/about/pricing/)).
+
+## Server
+
+Will accept connections on behalf of a peer and tunnel them to the designated peer.
+
+`fly.toml`
+
+```yml
+# fly.toml app configuration file
+#
+# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
+#
+
+# Choose your own fly.dev subdomain here
+app = "my-app-1234"
+
+[build]
+  image = "ghcr.io/digitallyrefined/docker-wireguard-tunnel:v1"
+
+[env]
+  DOMAIN = "my-app-1234.fly.dev" # Update this to match your subdomain
+  PEERS = "1"
+  SERVICES = "peer1:nginx:80:8080"
+
+[[mounts]]
+  source = "wireguard_data"
+  destination = "/etc/wireguard"
+
+[[services]]
+  protocol = "udp"
+  internal_port = 51820
+
+  [[services.ports]]
+    port = 51820
+
+[[services]]
+  protocol = "tcp"
+  internal_port = 8080
+
+  [[services.ports]]
+    port = 443
+    handlers = ["tls", "http"]
+    [services.ports.tls_options]
+      alpn = ["h2", "http/1.1"]
+      versions = ["TLSv1.2", "TLSv1.3"]
+```
+
+```bash
+fly launch
+```
+Use the following options:
+
+```log
+? Would you like to copy its configuration to the new app? Yes
+? Choose an app name (leaving blank will default to 'my-app-1234') change-me
+? Choose a region for deployment: Denver, Colorado (US) (den) # Or a location closest to you
+? Would you like to set up a Postgresql database now? No
+? Would you like to set up an Upstash Redis database now? No
+? Would you like to deploy now? Yes
+? Would you like to allocate a dedicated ipv4 address now? Yes
+```
+
+Once started, a `peer1.conf` file will be automatically generated in the `/etc/wireguard` directory, it can be viewed and then removed via:
+
+```bash
+fly ssh console
+cat /etc/wireguard/peer1.conf
+# Copy the contents of peer1.conf
+rm /etc/wireguard/peer1.conf
+```
+
+## Peer
+
+Will connect to the server via WireGuard and setup a tunnel to expose the listed ports.
+
+Paste the `peer1.conf` contents from the Fly.io server into a file named `config/wg0.conf` on the peer.
+
+`docker-compose.yml`
+
+```yml
+services:
+  wireguard-peer:
+    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v1
+    container_name: wireguard-peer
+    environment:
+      # Note that DOMAIN & PEERS are not required for the peer
+      # Services to expose
+      # Format: SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
+      - SERVICES=peer1:nginx:80:8080
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./config:/etc/wireguard
+    restart: unless-stopped
+    links:
+      - nginx:nginx
+      - nginx-demo:nginx-demo
+
+  nginx:
+    image: nginx
+```
+
+```bash
+docker compose up -d
+docker compose logs -f
+```
+
+Once started you should be able to access the demo nginx server via the domain name that was created by Fly.io, for example:   
+`https://my-app-1234.fly.dev`

wg-start.sh

@@ -54,14 +54,15 @@ for serv in "${SERVICE[@]}"; do
   expose_port_as=${service_parts[3]}
 
   if [[ ${DOMAIN} && ${PEERS} ]]; then
-    iptables -t nat -A PREROUTING -p tcp --dport $expose_port_as -j DNAT --to-destination 10.0.0.$peer_number:$expose_port_as
+    echo "0.0.0.0 $expose_port_as 10.0.0.$peer_number $expose_port_as" >>/etc/rinetd.conf
   else
     container_ip=$(ping -c1 $service_hostname | sed -nE 's/^PING[^(]+\(([^)]+)\).*/\1/p')
-    iptables -t nat -A PREROUTING -p tcp --dport $expose_port_as -j DNAT --to-destination $container_ip:$container_port
+    echo "0.0.0.0 $expose_port_as $container_ip $container_port" >>/etc/rinetd.conf
   fi
 done
 
-iptables -t nat -A POSTROUTING -j MASQUERADE
+echo "$(date): Starting Internet redirection server"
+rinetd
 
 echo "$(date): Starting Wireguard"
 wg-quick up wg0