feat(wireguard): add linux host routing

x0sina · x0sina · commit f90d5200f571 · 2026-04-09T01:37:36.000+03:30
diff --git a/Dockerfile.wireguard b/Dockerfile.wireguard
@@ -17,7 +17,7 @@ FROM alpine:latest
 
 LABEL org.opencontainers.image.source="https://github.com/PasarGuard/node"
 
-RUN apk update && apk add --no-cache wireguard-tools
+RUN apk update && apk add --no-cache wireguard-tools nftables iproute2
 
 WORKDIR /app
 COPY --from=builder /src /app
diff --git a/backend/wireguard/defaultroute_linux.go b/backend/wireguard/defaultroute_linux.go
@@ -0,0 +1,49 @@
+//go:build linux
+
+package wireguard
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+// linuxDefaultRouteInterfaceIPv4 returns the egress interface for the IPv4 default route
+// (e.g. ens192, eth0, enp0s3). Used when PG_NODE_WG_NAT_OUTPUT_INTERFACE is unset.
+func linuxDefaultRouteInterfaceIPv4() (string, bool) {
+	if out, err := exec.Command("ip", "-4", "-j", "route", "show", "default").Output(); err == nil {
+		var routes []struct {
+			Dev string `json:"dev"`
+		}
+		if err := json.Unmarshal(bytes.TrimSpace(out), &routes); err == nil && len(routes) > 0 {
+			if dev := strings.TrimSpace(routes[0].Dev); dev != "" {
+				return dev, true
+			}
+		}
+	}
+	if out, err := os.ReadFile("/proc/net/route"); err == nil {
+		return parseDefaultIfaceFromProcNetRoute(out)
+	}
+	return "", false
+}
+
+// parseDefaultIfaceFromProcNetRoute parses /proc/net/route (kernel ABI).
+// Default route rows use destination 00000000.
+func parseDefaultIfaceFromProcNetRoute(data []byte) (string, bool) {
+	for _, line := range bytes.Split(data, []byte{'\n'}) {
+		fields := strings.Fields(string(line))
+		if len(fields) < 2 {
+			continue
+		}
+		iface := fields[0]
+		if iface == "Iface" {
+			continue
+		}
+		if fields[1] == "00000000" {
+			return iface, true
+		}
+	}
+	return "", false
+}
diff --git a/backend/wireguard/defaultroute_linux_test.go b/backend/wireguard/defaultroute_linux_test.go
@@ -0,0 +1,15 @@
+//go:build linux
+
+package wireguard
+
+import "testing"
+
+func TestParseDefaultIfaceFromProcNetRoute(t *testing.T) {
+	const sample = "Iface\tDestination\tGateway \tFlags\tRefCnt\tUse\tMetric\tMask\t\tMTU\tWindow\tIRTT\n" +
+		"ens33\t00000000\t010AA8C0\t0003\t0\t0\t100\t00000000\t0\t0\t0\n"
+
+	got, ok := parseDefaultIfaceFromProcNetRoute([]byte(sample))
+	if !ok || got != "ens33" {
+		t.Fatalf("got %q ok=%v", got, ok)
+	}
+}
diff --git a/backend/wireguard/host_routing_linux.go b/backend/wireguard/host_routing_linux.go
@@ -0,0 +1,93 @@
+//go:build linux
+
+package wireguard
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+const (
+	envHostRouting        = "PG_NODE_WG_HOST_ROUTING"
+	envNATOutputInterface = "PG_NODE_WG_NAT_OUTPUT_INTERFACE"
+)
+
+// applyLinuxHostRouting enables IPv4/IPv6 forwarding and installs an nftables masquerade
+// rule for traffic from the WireGuard interface to the IPv4 default-route egress interface.
+//
+// wgInterfaceName comes from core JSON interface_name (e.g. wg0, wg1); never hardcoded here.
+// The NAT egress interface is resolved in order:
+//  1. PG_NODE_WG_NAT_OUTPUT_INTERFACE if set
+//  2. IPv4 default route interface (ip -4 -j route, else /proc/net/route)
+//  3. eth0 as last-resort fallback
+//
+// Disable all of this with PG_NODE_WG_HOST_ROUTING=0.
+func applyLinuxHostRouting(wgInterfaceName string) {
+	if v := strings.TrimSpace(os.Getenv(envHostRouting)); v == "0" || strings.EqualFold(v, "false") {
+		return
+	}
+
+	wgIf := strings.TrimSpace(wgInterfaceName)
+	if wgIf == "" {
+		wgIf = "wg0"
+	}
+
+	outIf := strings.TrimSpace(os.Getenv(envNATOutputInterface))
+	if outIf == "" {
+		var ok bool
+		outIf, ok = linuxDefaultRouteInterfaceIPv4()
+		if !ok {
+			outIf = "eth0"
+			log.Printf(
+				"wireguard host routing: could not detect default IPv4 egress interface; using fallback %q (set %s)",
+				outIf,
+				envNATOutputInterface,
+			)
+		}
+	}
+
+	if err := writeSysctl("net/ipv4/ip_forward", "1"); err != nil {
+		log.Printf("wireguard host routing: ipv4 forwarding: %v", err)
+	}
+	if err := writeSysctl("net/ipv6/conf/all/forwarding", "1"); err != nil {
+		log.Printf("wireguard host routing: ipv6 forwarding: %v", err)
+	}
+
+	log.Printf("wireguard host routing: wg interface %q, NAT egress %q (masquerade)", wgIf, outIf)
+
+	if err := ensureNFTMasquerade(wgIf, outIf); err != nil {
+		log.Printf("wireguard host routing: nftables masquerade (optional): %v", err)
+	}
+}
+
+func writeSysctl(relPath, value string) error {
+	path := "/proc/sys/" + relPath
+	return os.WriteFile(path, []byte(value+"\n"), 0)
+}
+
+// ensureNFTMasquerade replaces table ip pasarguard_wg. Traffic is matched from the
+// configured WireGuard interface to the detected/configured egress interface only.
+func ensureNFTMasquerade(wgIface, outputIface string) error {
+	del := exec.Command("nft", "delete", "table", "ip", "pasarguard_wg")
+	_ = del.Run()
+
+	cfg := fmt.Sprintf(`table ip pasarguard_wg {
+	chain postrouting {
+		type nat hook postrouting priority 100;
+		policy accept;
+		iifname %q oifname %q masquerade
+	}
+}
+`, wgIface, outputIface)
+
+	cmd := exec.Command("nft", "-f", "-")
+	cmd.Stdin = strings.NewReader(cfg)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%w: %s", err, strings.TrimSpace(string(out)))
+	}
+	return nil
+}
diff --git a/backend/wireguard/host_routing_other.go b/backend/wireguard/host_routing_other.go
@@ -0,0 +1,6 @@
+//go:build !linux
+
+package wireguard
+
+// applyLinuxHostRouting is a no-op on non-Linux platforms.
+func applyLinuxHostRouting(_ string) {}
diff --git a/backend/wireguard/wireguard.go b/backend/wireguard/wireguard.go
@@ -170,6 +170,7 @@ func newWithManagerFactory(cfg *config.Config, wgConfig *Config, users []*common
 	psk, _ := wgConfig.GetPreSharedKey()
 	startupPeerConfigs, appliedKeys := buildTargetPeerConfigs(startupDiff.TargetPeers, psk)
 
+
 	manager, err := wg.newManager(wgConfig.InterfaceName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create manager: %w", err)
@@ -181,6 +182,9 @@ func newWithManagerFactory(cfg *config.Config, wgConfig *Config, users []*common
 		return nil, fmt.Errorf("failed to initialize interface: %w", err)
 	}
 
+	// After the tunnel exists, apply sysctl + nft so iifname matches the real interface name from core config.
+	applyLinuxHostRouting(wgConfig.InterfaceName)
+
 	wg.manager = manager
 
 	// Initialize PeerStore with successfully committed peers.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,6 +13,9 @@ services:
     environment:
       SERVICE_PORT: 62050
       SERVICE_PROTOCOL: "grpc"
+      # Linux: IP forwarding + nft masquerade from the WG interface (core interface_name) to the IPv4 default route iface.
+      # NAT egress is auto-detected (ip route / /proc/net/route); set PG_NODE_WG_NAT_OUTPUT_INTERFACE to override (e.g. eth0, ens192).
+      PG_NODE_WG_HOST_ROUTING: "1"
 
       SSL_CERT_FILE: "/var/lib/pg-node/certs/ssl_cert.pem"
       SSL_KEY_FILE: "/var/lib/pg-node/certs/ssl_key.pem"
