Fix for fwmark

Evidently, wireguard's (use of) fwmark is not well understood. In short, it determines which routing table to use for a tunnel's packets. Adding a fwmark to a roadwarrior client config won't do anything to the actual packets sent to a peer: Packets do not get marked. A QRCode with `FwMark = ...` in it is invalid. FwMark is now excluded from client configs (but is written to the server config /etc/wireguard/wgX.conf). Potential breaking change of `WGUI_FORWARD_MARK` to `WGUI_FIREWALL_MARK` But this has the effect of making users eventually notice that it probably does not do what they want/think. See: https://ro-che.info/articles/2021-02-27-linux-routing https://casavant.org/2020/10/10/wireguard-fwmark.html https://www.blinkenlights.ch/ccms/posts/source-based-routing/
systemcrash · Feb 16, 2023 · 101b556 · 101b556
1 parent aadf099
commit 101b556
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -58,7 +58,7 @@ Note:
 | `WGUI_DNS`                  | The default DNS servers (comma-separated-list) used in the global settings                                                                                   | `1.1.1.1`                          |
 | `WGUI_MTU`                  | The default MTU used in global settings                                                                                                                      | `1450`                             |
 | `WGUI_PERSISTENT_KEEPALIVE` | The default persistent keepalive for WireGuard in global settings                                                                                            | `15`                               |
-| `WGUI_FORWARD_MARK`         | The default WireGuard forward mark                                                                                                                           | `0xca6c`                           |
+| `WGUI_FIREWALL_MARK`        | The default WireGuard firewall mark                                                                                                                          | `0xca6c`  (51820)                          |
 | `WGUI_CONFIG_FILE_PATH`     | The default WireGuard config file path used in global settings                                                                                               | `/etc/wireguard/wg0.conf`          |
 | `WG_CONF_TEMPLATE`          | The custom `wg.conf` config file template. Please refer to our [default template](https://github.com/ngoduykhanh/wireguard-ui/blob/master/templates/wg.conf) | N/A                                |
 | `EMAIL_FROM_ADDRESS`        | The sender email address                                                                                                                                     | N/A                                |

diff --git a/model/setting.go b/model/setting.go
@@ -10,7 +10,7 @@ type GlobalSetting struct {
 	DNSServers          []string  `json:"dns_servers"`
 	MTU                 int       `json:"mtu,string"`
 	PersistentKeepalive int       `json:"persistent_keepalive,string"`
-	ForwardMark         string    `json:"forward_mark"`
+	FirewallMark        string    `json:"firewall_mark"`
 	ConfigFilePath      string    `json:"config_file_path"`
 	UpdatedAt           time.Time `json:"updated_at"`
 }
diff --git a/store/jsondb/jsondb.go b/store/jsondb/jsondb.go
@@ -96,7 +96,7 @@ func (o *JsonDB) Init() error {
 		globalSetting.DNSServers = util.LookupEnvOrStrings(util.DNSEnvVar, []string{util.DefaultDNS})
 		globalSetting.MTU = util.LookupEnvOrInt(util.MTUEnvVar, util.DefaultMTU)
 		globalSetting.PersistentKeepalive = util.LookupEnvOrInt(util.PersistentKeepaliveEnvVar, util.DefaultPersistentKeepalive)
-		globalSetting.ForwardMark = util.LookupEnvOrString(util.ForwardMarkEnvVar, util.DefaultForwardMark)
+		globalSetting.FirewallMark = util.LookupEnvOrString(util.FirewallMarkEnvVar, util.DefaultFirewallMark)
 		globalSetting.ConfigFilePath = util.LookupEnvOrString(util.ConfigFilePathEnvVar, util.DefaultConfigFilePath)
 		globalSetting.UpdatedAt = time.Now().UTC()
 		o.conn.Write("server", "global_settings", globalSetting)
@@ -219,9 +219,6 @@ func (o *JsonDB) GetClientByID(clientID string, qrCodeSettings model.QRCodeSetti
 		if !qrCodeSettings.IncludeMTU {
 			globalSettings.MTU = 0
 		}
-		if !qrCodeSettings.IncludeFwMark {
-			globalSettings.ForwardMark = ""
-		}
 
 		png, err := qrcode.Encode(util.BuildClientConfig(client, server, globalSettings), qrcode.Medium, 256)
 		if err == nil {

diff --git a/templates/clients.html b/templates/clients.html
@@ -70,17 +70,8 @@ <h4 class="modal-title">QR Code</h4>
             </div>
             <div class="modal-body">
                 <input type="hidden" id="qr_client_id" name="qr_client_id">
-                <a href="" download="" id="qr_code_a">
-                    <img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" />
-                </a>
-                <div class="form-group">
-                    <div class="icheck-primary d-inline">
-                        <input type="checkbox" id="qr_include_fwmark" onchange="regenerateQRCode()">
-                        <label for="qr_include_fwmark">
-                            Include FwMark
-                        </label>
-                    </div>
-                </div>
+                <img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" />
+                <!-- do not include FwMark in any client configs: it is INVALID. -->
             </div>
         </div>
         <!-- /.modal-content -->
@@ -425,9 +416,7 @@ <h4 class="modal-title">Remove</h4>
                 cache: false,
                 method: 'GET',
                 url: '{{.basePath}}/api/client/' + client_id,
-                data: { 
-                    qrCodeIncludeFwMark: include_fwmark
-                },
+                data: JSON.stringify(data),
                 dataType: 'json',
                 contentType: "application/json",
                 success: function (resp) {

diff --git a/templates/global_settings.html b/templates/global_settings.html
@@ -56,10 +56,10 @@ <h3 class="card-title">Wireguard Global Settings</h3>
                                     value="{{if .globalSettings.PersistentKeepalive }}{{ .globalSettings.PersistentKeepalive }}{{end}}">
                             </div>
                             <div class="form-group">
-                                <label for="forward_mark">Forward Mark</label>
-                                <input type="text" class="form-control" id="forward_mark"
-                                    name="forward_mark" placeholder="Forward Mark"
-                                    value="{{ .globalSettings.ForwardMark }}">
+                                <label for="firewall_mark">Firewall Mark</label>
+                                <input type="text" class="form-control" id="firewall_mark"
+                                    name="firewall_mark" placeholder="Firewall Mark"
+                                    value="{{ .globalSettings.FirewallMark }}">
                             </div>
                             <div class="form-group">
                                 <label for="config_file_path">Wireguard Config File Path</label>
@@ -100,8 +100,8 @@ <h3 class="card-title">Help</h3>
                                 until they reach out to other peers themselves. Adding <code>PersistentKeepalive</code>
                                 can ensure that the connection remains open.</dd>
                             <dd>Leave blank to omit this setting in the Client config.</dd>
-                            <dt>5. Forward Mark</dt>
-                            <dd>Set an <code>fwmark</code> on all packets going out of WireGuard's UDP socket. Default value: <code>0xca6c</code></dd>
+                            <dt>5. Firewall Mark</dt>
+                            <dd>Add a matching <code>fwmark</code> on all packets going out of a WireGuard non-default-route tunnel. Default value: <code>0xca6c</code></dd>
                             <dt>6. Wireguard Config File Path</dt>
                             <dd>The path of your Wireguard server config file. Please make sure the parent directory
                                 exists and is writable.</dd>
@@ -149,9 +149,9 @@ <h4 class="modal-title">Endpoint Address Suggestion</h4>
             const dns_servers = $("#dns_servers").val().split(",");
             const mtu = $("#mtu").val();
             const persistent_keepalive = $("#persistent_keepalive").val();
-            const forward_mark = $("#forward_mark").val();
+            const firewall_mark = $("#firewall_mark").val();
             const config_file_path = $("#config_file_path").val();
-            const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "forward_mark": forward_mark, "config_file_path": config_file_path};
+            const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "firewall_mark": firewall_mark, "config_file_path": config_file_path};
 
             $.ajax({
                 cache: false,
@@ -222,7 +222,7 @@ <h4 class="modal-title">Endpoint Address Suggestion</h4>
                     config_file_path: {
                         required: true
                     },
-                    forward_mark: {
+                    firewall_mark: {
                         required: false
                     }
                 },

diff --git a/util/config.go b/util/config.go
@@ -29,7 +29,7 @@ const (
 	DefaultDNS                             = "1.1.1.1"
 	DefaultMTU                             = 1450
 	DefaultPersistentKeepalive             = 15
-	DefaultForwardMark                     = "0xca6c"
+	DefaultFirewallMark                    = "0xca6c"  // i.e. 51820
 	DefaultConfigFilePath                  = "/etc/wireguard/wg0.conf"
 	UsernameEnvVar                         = "WGUI_USERNAME"
 	PasswordEnvVar                         = "WGUI_PASSWORD"
@@ -39,7 +39,7 @@ const (
 	DNSEnvVar                              = "WGUI_DNS"
 	MTUEnvVar                              = "WGUI_MTU"
 	PersistentKeepaliveEnvVar              = "WGUI_PERSISTENT_KEEPALIVE"
-	ForwardMarkEnvVar                      = "WGUI_FORWARD_MARK"
+	FirewallMarkEnvVar                     = "WGUI_FIREWALL_MARK"
 	ConfigFilePathEnvVar                   = "WGUI_CONFIG_FILE_PATH"
 	ServerAddressesEnvVar                  = "WGUI_SERVER_INTERFACE_ADDRESSES"
 	ServerListenPortEnvVar                 = "WGUI_SERVER_LISTEN_PORT"

diff --git a/util/util.go b/util/util.go
@@ -60,18 +60,12 @@ func BuildClientConfig(client model.Client, server model.Server, setting model.G
 		peerPersistentKeepalive = fmt.Sprintf("PersistentKeepalive = %d\n", setting.PersistentKeepalive)
 	}
 
-	forwardMark := ""
-	if setting.ForwardMark != "" {
-		forwardMark = fmt.Sprintf("FwMark = %s\n", setting.ForwardMark)
-	}
-
 	// build the config as string
 	strConfig := "[Interface]\n" +
 		clientAddress +
 		clientPrivateKey +
 		clientDNS +
 		clientMTU +
-		forwardMark +
 		"\n[Peer]\n" +
 		peerPublicKey +
 		peerPresharedKey +