Add option to disable ipv6 (#1951)

* add option to disable ipv6 * don't add ipv6 address * update docs
2025-09-26 19:51:15 +08:00 · 2025-07-01 07:57:14 +02:00
parent 68fde7d165
commit 0f663df7f6
7 changed files with 116 additions and 14 deletions
--- a/1
+++ b/1
@@ -54,6 +54,7 @@ ENV PORT=51821
 ENV HOST=0.0.0.0
 ENV INSECURE=false
 ENV INIT_ENABLED=false
 ENV DISABLE_IPV6=false
 LABEL org.opencontainers.image.source=https://github.com/wg-easy/wg-easy
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -28,6 +28,7 @@ ENV PORT=51821
 ENV HOST=0.0.0.0
 ENV INSECURE=true
 ENV INIT_ENABLED=false
 ENV DISABLE_IPV6=false
 # Install Dependencies
 COPY src/package.json src/pnpm-lock.yaml ./
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -4,8 +4,19 @@ title: Optional Configuration
 You can set these environment variables to configure the container. They are not required, but can be useful in some cases.
-| Env        | Default   | Example     | Description                    |
+| Env            | Default   | Example     | Description                        |
-| ---------- | --------- | ----------- | ------------------------------ |
+| -------------- | --------- | ----------- | ---------------------------------- |
-| `PORT`     | `51821`   | `6789`      | TCP port for Web UI.           |
+| `PORT`         | `51821`   | `6789`      | TCP port for Web UI.               |
-| `HOST`     | `0.0.0.0` | `localhost` | IP address web UI binds to.    |
+| `HOST`         | `0.0.0.0` | `localhost` | IP address web UI binds to.        |
-| `INSECURE` | `false`   | `true`      | If access over http is allowed |
+| `INSECURE`     | `false`   | `true`      | If access over http is allowed     |
 | `DISABLE_IPV6` | `false`   | `true`      | If IPv6 support should be disabled |
 /// note | IPv6 Caveats
 Disabling IPv6 will disable the creation of the default IPv6 firewall rules and won't add a IPv6 address to the interface and clients.
 You will however still see a IPv6 address in the Web UI, but it won't be used.
 This option can be removed in the future, as more devices support IPv6.
 ///
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -2,6 +2,7 @@ import { drizzle } from 'drizzle-orm/libsql';
 import { migrate as drizzleMigrate } from 'drizzle-orm/libsql/migrator';
 import { createClient } from '@libsql/client';
 import debug from 'debug';
 import { eq } from 'drizzle-orm';
 import * as schema from './schema';
 import { ClientService } from './repositories/client/service';
@@ -25,6 +26,11 @@ export async function connect() {
    await initialSetup(dbService);
  }
  if (WG_ENV.DISABLE_IPV6) {
    DB_DEBUG('Warning: Disabling IPv6...');
    await disableIpv6(db);
  }
  return dbService;
 }
@@ -108,3 +114,48 @@ async function initialSetup(db: DBServiceType) {
    await db.general.setSetupStep(0);
  }
 }
 async function disableIpv6(db: DBType) {
  // This should match the initial value migration
  const postUpMatch =
    ' ip6tables -t nat -A POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE; ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT;';
  const postDownMatch =
    ' ip6tables -t nat -D POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT;';
  await db.transaction(async (tx) => {
    const hooks = await tx.query.hooks.findFirst({
      where: eq(schema.hooks.id, 'wg0'),
    });
    if (!hooks) {
      throw new Error('Hooks not found');
    }
    if (hooks.postUp.includes(postUpMatch)) {
      DB_DEBUG('Disabling IPv6 in Post Up hooks...');
      await tx
        .update(schema.hooks)
        .set({
          postUp: hooks.postUp.replace(postUpMatch, ''),
          postDown: hooks.postDown.replace(postDownMatch, ''),
        })
        .where(eq(schema.hooks.id, 'wg0'))
        .execute();
    } else {
      DB_DEBUG('IPv6 Post Up hooks already disabled, skipping...');
    }
    if (hooks.postDown.includes(postDownMatch)) {
      DB_DEBUG('Disabling IPv6 in Post Down hooks...');
      await tx
        .update(schema.hooks)
        .set({
          postUp: hooks.postUp.replace(postUpMatch, ''),
          postDown: hooks.postDown.replace(postDownMatch, ''),
        })
        .where(eq(schema.hooks.id, 'wg0'))
        .execute();
    } else {
      DB_DEBUG('IPv6 Post Down hooks already disabled, skipping...');
    }
  });
 }
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -25,13 +25,21 @@ class WireGuard {
    const hooks = await Database.hooks.get();
    const result = [];
-    result.push(wg.generateServerInterface(wgInterface, hooks));
+    result.push(
      wg.generateServerInterface(wgInterface, hooks, {
        enableIpv6: !WG_ENV.DISABLE_IPV6,
      })
    );
    for (const client of clients) {
      if (!client.enabled) {
        continue;
      }
-      result.push(wg.generateServerPeer(client));
+      result.push(
        wg.generateServerPeer(client, {
          enableIpv6: !WG_ENV.DISABLE_IPV6,
        })
      );
    }
    result.push('');
@@ -125,7 +133,9 @@ class WireGuard {
      throw new Error('Client not found');
    }
-    return wg.generateClientConfig(wgInterface, userConfig, client);
+    return wg.generateClientConfig(wgInterface, userConfig, client, {
      enableIpv6: !WG_ENV.DISABLE_IPV6,
    });
  }
  async getClientQRCodeSVG({ clientId }: { clientId: ID }) {
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -17,6 +17,8 @@ export const WG_ENV = {
  INSECURE: process.env.INSECURE === 'true',
  /** Port the UI is listening on */
  PORT: assertEnv('PORT'),
  /** If IPv6 should be disabled */
  DISABLE_IPV6: process.env.DISABLE_IPV6 === 'true',
 };
 export const WG_INITIAL_ENV = {
--- a/src/server/utils/wgHelper.ts
+++ b/src/server/utils/wgHelper.ts
@@ -5,11 +5,20 @@ import type { InterfaceType } from '#db/repositories/interface/types';
 import type { UserConfigType } from '#db/repositories/userConfig/types';
 import type { HooksType } from '#db/repositories/hooks/types';
 type Options = {
  enableIpv6?: boolean;
 };
 export const wg = {
-  generateServerPeer: (client: Omit<ClientType, 'createdAt' | 'updatedAt'>) => {
+  generateServerPeer: (
    client: Omit<ClientType, 'createdAt' | 'updatedAt'>,
    options: Options = {}
  ) => {
    const { enableIpv6 = true } = options;
    const allowedIps = [
      `${client.ipv4Address}/32`,
-      `${client.ipv6Address}/128`,
+      ...(enableIpv6 ? [`${client.ipv6Address}/128`] : []),
      ...(client.serverAllowedIps ?? []),
    ];
@@ -25,19 +34,29 @@ PresharedKey = ${client.preSharedKey}
 AllowedIPs = ${allowedIps.join(', ')}${extraLines.length ? `\n${extraLines.join('\n')}` : ''}`;
  },
-  generateServerInterface: (wgInterface: InterfaceType, hooks: HooksType) => {
+  generateServerInterface: (
    wgInterface: InterfaceType,
    hooks: HooksType,
    options: Options = {}
  ) => {
    const { enableIpv6 = true } = options;
    const cidr4 = parseCidr(wgInterface.ipv4Cidr);
    const cidr6 = parseCidr(wgInterface.ipv6Cidr);
    const ipv4Addr = stringifyIp({ number: cidr4.start + 1n, version: 4 });
    const ipv6Addr = stringifyIp({ number: cidr6.start + 1n, version: 6 });
    const address =
      `${ipv4Addr}/${cidr4.prefix}` +
      (enableIpv6 ? `, ${ipv6Addr}/${cidr6.prefix}` : '');
    return `# Note: Do not edit this file directly.
 # Your changes will be overwritten!
 # Server
 [Interface]
 PrivateKey = ${wgInterface.privateKey}
-Address = ${ipv4Addr}/${cidr4.prefix}, ${ipv6Addr}/${cidr6.prefix}
+Address = ${address}
 ListenPort = ${wgInterface.port}
 MTU = ${wgInterface.mtu}
 PreUp = ${iptablesTemplate(hooks.preUp, wgInterface)}
@@ -49,11 +68,18 @@ PostDown = ${iptablesTemplate(hooks.postDown, wgInterface)}`;
  generateClientConfig: (
    wgInterface: InterfaceType,
    userConfig: UserConfigType,
-    client: ClientType
+    client: ClientType,
    options: Options = {}
  ) => {
    const { enableIpv6 = true } = options;
    const cidr4Block = parseCidr(wgInterface.ipv4Cidr).prefix;
    const cidr6Block = parseCidr(wgInterface.ipv6Cidr).prefix;
    const address =
      `${client.ipv4Address}/${cidr4Block}` +
      (enableIpv6 ? `, ${client.ipv6Address}/${cidr6Block}` : '');
    const hookLines = [
      client.preUp ? `PreUp = ${client.preUp}` : null,
      client.postUp ? `PostUp = ${client.postUp}` : null,
@@ -63,7 +89,7 @@ PostDown = ${iptablesTemplate(hooks.postDown, wgInterface)}`;
    return `[Interface]
 PrivateKey = ${client.privateKey}
-Address = ${client.ipv4Address}/${cidr4Block}, ${client.ipv6Address}/${cidr6Block}
+Address = ${address}
 DNS = ${(client.dns ?? userConfig.defaultDns).join(', ')}
 MTU = ${client.mtu}
 ${hookLines.length ? `${hookLines.join('\n')}\n` : ''}