Merge pull request #45 from YunoHost-Apps/testing

Testing

README.md

@@ -15,9 +15,9 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 ## Overview
 
-Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration
+WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN.
 
-**Shipped version:** 0.2.7~ynh8
+**Shipped version:** 0.3.2~ynh1
 
 
 
@@ -31,35 +31,12 @@ Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuratio
 * WireGuard for YunoHost will add a DMKS module to your Linux kernel.
   * You may need to reboot your server for WireGuard to be able to start.
 * The package includes WireGuard and non-official web UI to configure it.
-  * Avoid altering the configuration files via the command line interface, though.
+  * Do not manually alter the configuration files.
 * Use YunoHost permissions panel to allow users to access the web UI.
 * Only one network interface, *wg0*, can be managed with this app at the moment.
+* `Status` page is not working for the time being.
 
-### Make your server share its Internet connection
-
-#### Enable port forwarding
-
-```bash
-sudo nano /etc/sysctl.conf
-# Uncomment the following lines:
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
-# Save and quit (CTRL+O, CTRL+X)
-sudo sysctl -p
-```
-
-Add the following commands in `WireGuard Server` menu, like in [this picture](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Replace `eth0` with the interface connected to the Internet:
-
-#### Post Up Script
-```
-iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-```
-
-#### Post Down Script
-```
-iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-```
-
+After installation, you need to `Apply Config` once in the UI before the VPN service can be started.
 
 ## Documentation and resources
 

README_fr.md

@@ -11,9 +11,9 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Vue d'ensemble
 
-Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration
+WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN.
 
-**Version incluse :** 0.2.7~ynh8
+**Version incluse :** 0.3.2~ynh1
 
 
 
@@ -27,35 +27,12 @@ Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa
 * Cette application ajoutera un module DMKS à votre noyau Linux.
   * Vous devriez redémarrer votre serveur pour que WireGuard puisse se lancer.
 * Cette application inclut WireGuard et une interface web non-officielle pour le configurer.
-  * Évitez de modifier les fichiers de configuration via la ligne de commande.
+  * Ne modifiez pas les fichiers de configuration à la main.
 * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI.
 * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app.
+* La page `Status` demeure non fonctionnelle pour l'instant.
 
-### Partagez votre connexion Internet via WireGuard
-
-#### Activez le *port forwarding*
-
-```bash
-sudo nano /etc/sysctl.conf
-# Décommentez les lignes suivantes :
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
-# Sauvegardez et quittez (CTRL+O, CTRL+X)
-sudo sysctl -p
-```
-
-Ajoutez les commandes suivantes dans le menu `WireGuard Server`, tel que dans [cette image](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Remplacez `eth0` avec l'interface connectée à Internet :
-
-#### Post Up Script
-```
-iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-```
-
-#### Post Down Script
-```
-iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-```
-
+Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré.
 
 ## Documentations et ressources
 

check_process

@@ -1,13 +1,8 @@
-# See here for more information
-# https://github.com/YunoHost/package_check#syntax-check_process-file
-
-# Move this file from check_process.default to check_process when you have filled it.
-
 ;; Test complet
 	; Manifest
-		domain="domain.tld"	(DOMAIN)
-		path="/"	(PATH)
-		admin="john"	(USER)
+		domain="domain.tld"
+		path="/"
+		admin="john"
 	; Checks
 		pkg_linter=1
 		setup_sub_dir=0
@@ -19,11 +14,7 @@
 		upgrade=1	from_commit=797a3e5990571629a8525764ce6e8d359277313f
 		backup_restore=1
 		multi_instance=0
-		port_already_use=0
 		change_url=0
-;;; Levels
-	# If the level 5 (Package linter) is forced to 1. Please add justifications here.
-	Level 5=auto
 ;;; Options
 Email=
 Notification=none

conf/amd64.src

@@ -1,6 +1,5 @@
-SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-amd64.tar.gz
-SOURCE_SUM=DC0FF54ABD2E08DB5ED722E07CEDA6E007CD5E6DFABD3A3B5A948CC8275D8100
+SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-amd64.tar.gz
+SOURCE_SUM=71972b81f2d2ade50484cc1501a5896c8a08cfd82297f81c1d6279d7e0ff1f35
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
-SOURCE_FILENAME=

conf/arm64.src

@@ -1,6 +1,5 @@
-SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-arm64.tar.gz
-SOURCE_SUM=32331E591B0C3B9E4EC360B53B967A3CCEEEFE5B7FFEC3ADD61A9483B50B9F0D
+SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm64.tar.gz
+SOURCE_SUM=8d31fc39495f8a6480531859f225f0fee36788515532d75d9cfaaa866000f52f
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false
-SOURCE_FILENAME=

conf/armhf.src

@@ -0,0 +1,5 @@
+SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm.tar.gz
+SOURCE_SUM=4632fd96c7574321031907695fbbe6535884a8006b517c7f7d3ab289fb94be5f
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=tar.gz
+SOURCE_IN_SUBDIR=false

conf/i386.src

@@ -0,0 +1,5 @@
+SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-386.tar.gz
+SOURCE_SUM=f76fc030d54e735977236d1984a906e749abb038208f410b406a2972498e3b9e
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=tar.gz
+SOURCE_IN_SUBDIR=false

conf/interfaces.json

@@ -1,8 +1,9 @@
 {
         "addresses": [
-                "10.10.10.0/24"
+                "10.10.10.0/24",
+                "fd42::/112"
         ],
         "listen_port": "__PORT_WG__",
-        "post_up": "",
-        "post_down": ""
+        "post_up": "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip link set multicast on dev %i",
+        "post_down": "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE"
 }

conf/nginx.conf

@@ -1,11 +1,6 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
 location __PATH__/ {
 
-  # Force usage of https
-  if ($scheme = http) {
-    rewrite ^ https://$server_name$request_uri? permanent;
-  }
-
   proxy_pass        http://127.0.0.1:__PORT__/;
   proxy_redirect    off;
   proxy_set_header  Host $host;

conf/sysctl.conf

@@ -0,0 +1,2 @@
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1

conf/wireguard@.path

@@ -0,0 +1,8 @@
+[Unit]
+Description=Watch WireGuard %I.conf for changes
+
+[Path]
+PathModified=/etc/wireguard/%I.conf
+
+[Install]
+WantedBy=multi-user.target

conf/wireguard@.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=WireGuard on %I
+After=network-online.target nss-lookup.target
+Wants=network-online.target nss-lookup.target
+
+[Service]
+Type=oneshot
+User=root
+RemainAfterExit=yes
+ExecStart=/bin/systemctl restart wg-quick@%I.service
+ExecStop=/bin/systemctl stop wg-quick@%I.service
+
+[Install]
+WantedBy=multi-user.target

conf/wireguard_ui.service

@@ -9,5 +9,40 @@ Group=__APP__
 WorkingDirectory=__FINALPATH__/
 ExecStart=__FINALPATH__/wireguard-ui --bind-address="127.0.0.1:__PORT__" --disable-login
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+# Disabling the following restriction since the UI needs to poll the interfaces
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+# Disabling the following restriction since the UI needs to poll the interfaces
+#CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+# Exception to ProtectSystem
+ReadWritePaths=/etc/wireguard
+
 [Install]
 WantedBy=multi-user.target

doc/DESCRIPTION.md

@@ -0,0 +1 @@
+WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN.

doc/DISCLAIMER.md

@@ -1,32 +1,9 @@
 * WireGuard for YunoHost will add a DMKS module to your Linux kernel.
   * You may need to reboot your server for WireGuard to be able to start.
 * The package includes WireGuard and non-official web UI to configure it.
-  * Avoid altering the configuration files via the command line interface, though.
+  * Do not manually alter the configuration files.
 * Use YunoHost permissions panel to allow users to access the web UI.
 * Only one network interface, *wg0*, can be managed with this app at the moment.
+* `Status` page is not working for the time being.
 
-### Make your server share its Internet connection
-
-#### Enable port forwarding
-
-```bash
-sudo nano /etc/sysctl.conf
-# Uncomment the following lines:
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
-# Save and quit (CTRL+O, CTRL+X)
-sudo sysctl -p
-```
-
-Add the following commands in `WireGuard Server` menu, like in [this picture](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Replace `eth0` with the interface connected to the Internet:
-
-#### Post Up Script
-```
-iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-```
-
-#### Post Down Script
-```
-iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-```
-
+After installation, you need to `Apply Config` once in the UI before the VPN service can be started.

doc/DISCLAIMER_fr.md

@@ -1,32 +1,9 @@
 * Cette application ajoutera un module DMKS à votre noyau Linux.
   * Vous devriez redémarrer votre serveur pour que WireGuard puisse se lancer.
 * Cette application inclut WireGuard et une interface web non-officielle pour le configurer.
-  * Évitez de modifier les fichiers de configuration via la ligne de commande.
+  * Ne modifiez pas les fichiers de configuration à la main.
 * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI.
 * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app.
+* La page `Status` demeure non fonctionnelle pour l'instant.
 
-### Partagez votre connexion Internet via WireGuard
-
-#### Activez le *port forwarding*
-
-```bash
-sudo nano /etc/sysctl.conf
-# Décommentez les lignes suivantes :
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
-# Sauvegardez et quittez (CTRL+O, CTRL+X)
-sudo sysctl -p
-```
-
-Ajoutez les commandes suivantes dans le menu `WireGuard Server`, tel que dans [cette image](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Remplacez `eth0` avec l'interface connectée à Internet :
-
-#### Post Up Script
-```
-iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-```
-
-#### Post Down Script
-```
-iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-```
-
+Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré.