From 63b1cc894c8b60effeff1c7e8b31094bfdad3a87 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 16 Oct 2022 15:56:00 +0000 Subject: [PATCH 01/30] use default gitAuthor --- .github/renovate.json5 | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 56d459b..f3e36dd 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,7 +5,6 @@ ], platform: "github", username: "angelnu-bot[bot]", - gitAuthor: "angelnu-bot ", repositories: ["angelnu/pod-gateway"], renovateFork: true, } From 748de5974eacb7fa51930c7d342d3e1c860e9d02 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 16 Oct 2022 15:58:16 +0000 Subject: [PATCH 02/30] Revert "use default gitAuthor" This reverts commit 63b1cc894c8b60effeff1c7e8b31094bfdad3a87. --- .github/renovate.json5 | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index f3e36dd..56d459b 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,6 +5,7 @@ ], platform: "github", username: "angelnu-bot[bot]", + gitAuthor: "angelnu-bot ", repositories: ["angelnu/pod-gateway"], renovateFork: true, } From ed9d4f387b3ee80014b1414da4a3330ba0acab1f Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 16 Oct 2022 15:59:00 +0000 Subject: [PATCH 03/30] change gitAuthor --- .github/renovate.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 56d459b..6b46eb3 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,7 +5,7 @@ ], platform: "github", username: "angelnu-bot[bot]", - gitAuthor: "angelnu-bot ", + gitAuthor: "angelnu-bot <249196+angelnu-bot[bot]@users.noreply.github.com>", repositories: ["angelnu/pod-gateway"], renovateFork: true, } From 12ac574eecc1335db5ff72208dd5fb63ebb50775 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sat, 5 Nov 2022 19:07:30 +0000 Subject: [PATCH 04/30] update bot email address --- .github/renovate.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 6b46eb3..f760a66 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,7 +5,7 @@ ], platform: "github", username: "angelnu-bot[bot]", - gitAuthor: "angelnu-bot <249196+angelnu-bot[bot]@users.noreply.github.com>", + gitAuthor: "angelnu-bot[bot] <115925344+angelnu-bot[bot]@users.noreply.github.com>", repositories: ["angelnu/pod-gateway"], renovateFork: true, } From 811d1ce559573618c9ca35a9f092b13b3dc9c73d Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Sat, 12 Nov 2022 04:26:34 +0000 Subject: [PATCH 05/30] fix(docker-image): update alpine docker tag to v3.16.3 | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.16.2 | 3.16.3 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e98e8a5..150bf01 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.2@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad +FROM alpine:3.16.3@sha256:b95359c2505145f16c6aa384f9cc74eeff78eb36d308ca4fd902eeeb0a0b161b WORKDIR / # iproute2 -> bridge From 6e7bbcc3f1f609d17eb579f8c0c164220048df20 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Wed, 23 Nov 2022 01:06:22 +0000 Subject: [PATCH 06/30] feat(docker-image): update alpine docker tag to v3.17.0 | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.16.3 | 3.17.0 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 150bf01..0b7e7fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3@sha256:b95359c2505145f16c6aa384f9cc74eeff78eb36d308ca4fd902eeeb0a0b161b +FROM alpine:3.17.0@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4 WORKDIR / # iproute2 -> bridge From 52ae16b3470125764ea3a43627cfe7d7b84a24fc Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Sun, 4 Dec 2022 02:40:31 +0000 Subject: [PATCH 07/30] ci(github-action)!: Update dessant/support-requests action to v3 | datasource | package | from | to | | ----------- | ------------------------ | ---- | -- | | github-tags | dessant/support-requests | v2 | v3 | | github-tags | dessant/support-requests | v2 | v3 | --- .github/workflows/invalid-template.yaml | 2 +- .github/workflows/support.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/invalid-template.yaml b/.github/workflows/invalid-template.yaml index 34f9688..d77a329 100644 --- a/.github/workflows/invalid-template.yaml +++ b/.github/workflows/invalid-template.yaml @@ -10,7 +10,7 @@ jobs: support: runs-on: ubuntu-20.04 steps: - - uses: dessant/support-requests@v2 + - uses: dessant/support-requests@v3 with: github-token: ${{ secrets.GITHUB_TOKEN }} support-label: 'kind:invalid-template' diff --git a/.github/workflows/support.yaml b/.github/workflows/support.yaml index b3d3de0..a607d42 100644 --- a/.github/workflows/support.yaml +++ b/.github/workflows/support.yaml @@ -10,7 +10,7 @@ jobs: support: runs-on: ubuntu-20.04 steps: - - uses: dessant/support-requests@v2 + - uses: dessant/support-requests@v3 with: github-token: ${{ secrets.GITHUB_TOKEN }} support-label: 'kind:support' From 6a87e0947d688610b386a5db2e15ddda00bcf213 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Mon, 30 Jan 2023 19:10:15 +0000 Subject: [PATCH 08/30] ci(github-action)!: Update docker/build-push-action action to v4 | datasource | package | from | to | | ----------- | ------------------------ | ---- | -- | | github-tags | docker/build-push-action | v3 | v4 | --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2030a72..6e435e4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -76,7 +76,7 @@ jobs: - name: Build and Push id: docker_build - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v4 with: builder: ${{ steps.buildx.outputs.name }} context: . From 2449e6354eff1b396643aee23d08f2f1457166a1 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Sat, 11 Feb 2023 05:11:27 +0000 Subject: [PATCH 09/30] fix(docker-image): update alpine docker tag to v3.17.2 | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.17.0 | 3.17.2 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0b7e7fe..573e864 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.0@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4 +FROM alpine:3.17.2@sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a WORKDIR / # iproute2 -> bridge From a45f072fa9f1a660e0c1bf432fe536d99787f6a6 Mon Sep 17 00:00:00 2001 From: dberardo-com <65530457+dberardo-com@users.noreply.github.com> Date: Fri, 3 Mar 2023 18:15:12 +0100 Subject: [PATCH 10/30] Update client_init.sh motivated by: https://github.com/k8s-at-home/charts/issues/1633#issuecomment-1206676114 and https://github.com/angelnu/pod-gateway/issues/18#issuecomment-1453780540 --- bin/client_init.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/client_init.sh b/bin/client_init.sh index fa67bc8..00b75ed 100755 --- a/bin/client_init.sh +++ b/bin/client_init.sh @@ -61,7 +61,6 @@ ip link set up dev vxlan0 cat << EOF > /etc/dhclient.conf backoff-cutoff 2; initial-interval 1; -link-timeout 10; reboot 0; retry 10; select-timeout 0; From 36a6dcb84db8ffd231cce4fcf624652ddfe81e25 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Mon, 13 Mar 2023 17:03:39 +0000 Subject: [PATCH 11/30] chore(docker-image): update alpine:3.17.2 docker digest to ff6bdca --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 573e864..f1d3350 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.2@sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a +FROM alpine:3.17.2@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 WORKDIR / # iproute2 -> bridge From 313dc368e8ca188eea901e607ff3fe8858b57d93 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Wed, 29 Mar 2023 19:03:35 +0000 Subject: [PATCH 12/30] fix(docker-image): update alpine docker tag to v3.17.3 | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.17.2 | 3.17.3 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f1d3350..2de0e6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.2@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 +FROM alpine:3.17.3@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 WORKDIR / # iproute2 -> bridge From 535318806a59bfb28368b1aaa696ef7567fb9555 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Tue, 18 Apr 2023 14:12:35 +0100 Subject: [PATCH 13/30] First pas at makeing dnssec support optional --- bin/gateway_sidecar.sh | 11 +++++++---- config/settings.sh | 3 +++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/bin/gateway_sidecar.sh b/bin/gateway_sidecar.sh index 77e2753..95b53ac 100755 --- a/bin/gateway_sidecar.sh +++ b/bin/gateway_sidecar.sh @@ -39,16 +39,19 @@ log-facility=- # Clear DNS cache on reload clear-on-reload -# Enable DNSSEC validation and caching -conf-file=/usr/share/dnsmasq/trust-anchors.conf -dnssec - # /etc/resolv.conf cannot be monitored by dnsmasq since it is in a different file system # and dnsmasq monitors directories only # copy_resolv.sh is used to copy the file on changes resolv-file=${RESOLV_CONF_COPY} EOF +if [[ ${GATEWAY_ENABLE_DNSSEC} == true ];then +cat << EOF >> /etc/dnsmasq.d/pod-gateway.conf + # Enable DNSSEC validation and caching + conf-file=/usr/share/dnsmasq/trust-anchors.conf + dnssec +EOF + for local_cidr in $DNS_LOCAL_CIDRS; do cat << EOF >> /etc/dnsmasq.d/pod-gateway.conf # Send ${local_cidr} DNS queries to the K8S DNS server diff --git a/config/settings.sh b/config/settings.sh index 61d2921..a7164cc 100755 --- a/config/settings.sh +++ b/config/settings.sh @@ -40,5 +40,8 @@ RESOLV_CONF_COPY=/etc/resolv_copy.conf # The following value can be used to to provide more stability in an unreliable network connection. CONNECTION_RETRY_COUNT=1 +# you want to disable DNSSEC with the gateway then set this to false +GATEWAY_ENABLE_DNSSEC=true + # If you use nftables for iptables you need to set this to yes IPTABLES_NFT=no From 280cfd58855dd4e5e3e537e2456550e0cba18a30 Mon Sep 17 00:00:00 2001 From: mergwyn Date: Sat, 22 Apr 2023 18:29:49 +0100 Subject: [PATCH 14/30] Fix typo --- bin/gateway_sidecar.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/gateway_sidecar.sh b/bin/gateway_sidecar.sh index 95b53ac..5699a15 100755 --- a/bin/gateway_sidecar.sh +++ b/bin/gateway_sidecar.sh @@ -45,12 +45,13 @@ clear-on-reload resolv-file=${RESOLV_CONF_COPY} EOF -if [[ ${GATEWAY_ENABLE_DNSSEC} == true ];then +if [[ ${GATEWAY_ENABLE_DNSSEC} == true ]]; then cat << EOF >> /etc/dnsmasq.d/pod-gateway.conf # Enable DNSSEC validation and caching conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec EOF +fi for local_cidr in $DNS_LOCAL_CIDRS; do cat << EOF >> /etc/dnsmasq.d/pod-gateway.conf From cec35c3b29f096a7265a821817d426493bfbd36c Mon Sep 17 00:00:00 2001 From: Angel Nunez Mencias Date: Mon, 1 May 2023 01:11:51 +0200 Subject: [PATCH 15/30] Create dependency-review.yml --- .github/workflows/dependency-review.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..fe461b4 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2 From a94c0f246a78ddebe8b148f3f504fdf5b3815d60 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Mon, 1 May 2023 00:12:23 +0000 Subject: [PATCH 16/30] ci(github-action)!: Update actions/dependency-review-action action to v3 | datasource | package | from | to | | ----------- | -------------------------------- | ---- | -- | | github-tags | actions/dependency-review-action | v2 | v3 | --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fe461b4..b0dedc4 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 2a41616b4ca3228d244f5dde454765fee4a99cfb Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Wed, 10 May 2023 00:10:54 +0000 Subject: [PATCH 17/30] feat(docker-image): update alpine docker tag to v3.18.0 | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.17.3 | 3.18.0 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2de0e6a..ce90c6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.3@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 +FROM alpine:3.18.0@sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11 WORKDIR / # iproute2 -> bridge From a8606fd150de92a7038ed237f5d81c1992cdc3e0 Mon Sep 17 00:00:00 2001 From: samos667 <50653464+samos667@users.noreply.github.com> Date: Sun, 18 Jun 2023 13:00:24 +0000 Subject: [PATCH 18/30] set correct vxlan0 MTU according to vpn interface --- bin/client_init.sh | 11 +++++++++++ bin/gateway_init.sh | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/bin/client_init.sh b/bin/client_init.sh index 00b75ed..8fcfe32 100755 --- a/bin/client_init.sh +++ b/bin/client_init.sh @@ -57,6 +57,17 @@ ping -c "${CONNECTION_RETRY_COUNT}" "$GATEWAY_IP" ip link add vxlan0 type vxlan id "$VXLAN_ID" dev eth0 dstport 0 || true bridge fdb append to 00:00:00:00:00:00 dst "$GATEWAY_IP" dev vxlan0 ip link set up dev vxlan0 +if [[ -n "$VPN_INTERFACE_MTU" ]]; then + ETH0_INTERFACE_MTU=$(cat /sys/class/net/eth0/mtu) + VXLAN0_INTERFACE_MAX_MTU=$((ETH0_INTERFACE_MTU-50)) + #Ex: if tun0 = 1500 and max mtu is 1450 + if [ ${VPN_INTERFACE_MTU} >= ${VXLAN0_INTERFACE_MAX_MTU} ];then + ip link set mtu "${VXLAN0_INTERFACE_MAX_MTU}" dev vxlan0 + #Ex: if wg0 = 1420 and max mtu is 1450 + else + ip link set mtu "${VPN_INTERFACE_MTU}" dev vxlan0 + fi +fi cat << EOF > /etc/dhclient.conf backoff-cutoff 2; diff --git a/bin/gateway_init.sh b/bin/gateway_init.sh index 957bda9..3e0e35e 100755 --- a/bin/gateway_init.sh +++ b/bin/gateway_init.sh @@ -30,6 +30,17 @@ VXLAN_GATEWAY_IP="${VXLAN_IP_NETWORK}.1" ip link add vxlan0 type vxlan id $VXLAN_ID dev eth0 dstport 0 || true ip addr add ${VXLAN_GATEWAY_IP}/24 dev vxlan0 || true ip link set up dev vxlan0 +if [[ -n "$VPN_INTERFACE_MTU" ]]; then + ETH0_INTERFACE_MTU=$(cat /sys/class/net/eth0/mtu) + VXLAN0_INTERFACE_MAX_MTU=$((ETH0_INTERFACE_MTU-50)) + #Ex: if tun0 = 1500 and max mtu is 1450 + if [ ${VPN_INTERFACE_MTU} >= ${VXLAN0_INTERFACE_MAX_MTU} ];then + ip link set mtu "${VXLAN0_INTERFACE_MAX_MTU}" dev vxlan0 + #Ex: if wg0 = 1420 and max mtu is 1450 + else + ip link set mtu "${VPN_INTERFACE_MTU}" dev vxlan0 + fi +fi # check if rule already exists (retry) if ! ip rule | grep -q "from all lookup main suppress_prefixlength 0"; then From 6e2beeb54ac0e2695721dffaa0df1f970c34b016 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Skyler=20M=C3=A4ntysaari?= Date: Mon, 3 Jul 2023 18:05:45 +0300 Subject: [PATCH 19/30] feat(ipv6): We don't currently support it so block it on client sidecar to prevent leakage of traffic. --- Dockerfile | 2 +- bin/client_init.sh | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ce90c6a..1f22365 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ WORKDIR / # coreutils -> need REAL chown and chmod for dhclient (it uses reference option not supported in busybox) # bash -> for scripting logic # inotify-tools -> inotifyd for dnsmask resolv.conf reload circumvention -RUN apk add --no-cache coreutils dnsmasq-dnssec iproute2 bind-tools dhclient bash inotify-tools +RUN apk add --no-cache coreutils dnsmasq-dnssec iproute2 bind-tools dhclient bash inotify-tools ip6tables COPY config /default_config COPY config /config diff --git a/bin/client_init.sh b/bin/client_init.sh index 00b75ed..b203be6 100755 --- a/bin/client_init.sh +++ b/bin/client_init.sh @@ -24,6 +24,10 @@ fi echo "Deleting existing default GWs" ip route del 0/0 || /bin/true +# We don't support IPv6 at the moment, so delete default route to prevent leaking traffic. +echo "Deleting existing default IPv6 route to prevent leakage" +ip route -6 del default || /bin/true + # After this point nothing should be reachable -> check if ping -c 1 -W 1000 8.8.8.8; then echo "WE SHOULD NOT BE ABLE TO PING -> EXIT" From 438fb63663d1cc24292c56b637f7475f4096031b Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 13:04:49 +0000 Subject: [PATCH 20/30] ci(github-action)!: Update actions/checkout action to v4 by-angelnu-bot | datasource | package | from | to | | ----------- | ---------------- | ---- | -- | | github-tags | actions/checkout | v3 | v4 | --- .github/workflows/ci.yaml | 2 +- .github/workflows/dependency-review.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e435e4..0550b0c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: if: "!contains(github.event.head_commit.message, '[ci-skip]')" steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Prepare id: prep diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b0dedc4..4e75197 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,6 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3 From 86bcb571992a171c4a11669ad6e9f6ef8b575a6f Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 08:04:25 +0000 Subject: [PATCH 21/30] ci(github-action)!: Update docker/build-push-action action to v5 by-angelnu-bot | datasource | package | from | to | | ----------- | ------------------------ | ---- | -- | | github-tags | docker/build-push-action | v4 | v5 | --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e435e4..2dea178 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -76,7 +76,7 @@ jobs: - name: Build and Push id: docker_build - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: builder: ${{ steps.buildx.outputs.name }} context: . From 1c2b87566a4329f7df1eaf77ceac8f0482c51ee4 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 08:04:30 +0000 Subject: [PATCH 22/30] ci(github-action)!: Update docker/login-action action to v3 by-angelnu-bot | datasource | package | from | to | | ----------- | ------------------- | ---- | -- | | github-tags | docker/login-action | v2 | v3 | --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e435e4..4d34ef7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -68,7 +68,7 @@ jobs: - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ secrets.GHCR_USERNAME }} From 6cf46e1807411654e84f0788674bafd2400eda4a Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Tue, 12 Sep 2023 09:04:08 +0000 Subject: [PATCH 23/30] ci(github-action)!: Update docker/setup-qemu-action action to v3 by-angelnu-bot | datasource | package | from | to | | ----------- | ------------------------ | ---- | -- | | github-tags | docker/setup-qemu-action | v2 | v3 | --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e435e4..b483575 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -54,7 +54,7 @@ jobs: echo ::set-output name=github_server_url::"${GITHUB_SERVER_URL}" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 with: platforms: all From 788b2172b732f9e9022a7be1ecf90cdc31fcccfa Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Fri, 6 Oct 2023 10:03:41 +0000 Subject: [PATCH 24/30] ci(github-action)!: Update docker/setup-buildx-action action to v3 by-angelnu-bot | datasource | package | from | to | | ----------- | -------------------------- | ---- | -- | | github-tags | docker/setup-buildx-action | v2 | v3 | --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e435e4..2b6b22c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -60,7 +60,7 @@ jobs: - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: install: true version: latest From 3eec1615f5526f726a9352922c2ac8c2e60ccfd1 Mon Sep 17 00:00:00 2001 From: Anton Curanz Date: Mon, 6 Nov 2023 09:18:30 +0100 Subject: [PATCH 25/30] Added option to use SNAT instead of Masquerading --- bin/gateway_init.sh | 8 +++++++- config/settings.sh | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bin/gateway_init.sh b/bin/gateway_init.sh index 957bda9..53d7f5f 100755 --- a/bin/gateway_init.sh +++ b/bin/gateway_init.sh @@ -38,7 +38,13 @@ if ! ip rule | grep -q "from all lookup main suppress_prefixlength 0"; then fi # Enable outbound NAT -iptables -t nat -A POSTROUTING -j MASQUERADE +if [[ -n "$SNAT_IP" ]]; then + echo "Enable SNAT" + iptables -t nat -A POSTROUTING -o "$VPN_INTERFACE" -j SNAT --to "$SNAT_IP" +else + echo "Enable Masquerading" + iptables -t nat -A POSTROUTING -j MASQUERADE +fi if [[ -n "$VPN_INTERFACE" ]]; then # Open inbound NAT ports in nat.conf diff --git a/config/settings.sh b/config/settings.sh index a7164cc..409c9f7 100755 --- a/config/settings.sh +++ b/config/settings.sh @@ -45,3 +45,6 @@ GATEWAY_ENABLE_DNSSEC=true # If you use nftables for iptables you need to set this to yes IPTABLES_NFT=no + +# Set to WAN/VPN IP to enable SNAT instead of Masquerading +SNAT_IP="" From 7deb5bf030ecb8ecc845e835ccb28c25fca2a5a5 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Wed, 15 Nov 2023 01:27:10 +0000 Subject: [PATCH 26/30] ci(github-action)!: Update dessant/support-requests action to v4 by-angelnu-bot | datasource | package | from | to | | ----------- | ------------------------ | ---- | -- | | github-tags | dessant/support-requests | v3 | v4 | --- .github/workflows/invalid-template.yaml | 2 +- .github/workflows/support.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/invalid-template.yaml b/.github/workflows/invalid-template.yaml index d77a329..dd2eae6 100644 --- a/.github/workflows/invalid-template.yaml +++ b/.github/workflows/invalid-template.yaml @@ -10,7 +10,7 @@ jobs: support: runs-on: ubuntu-20.04 steps: - - uses: dessant/support-requests@v3 + - uses: dessant/support-requests@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} support-label: 'kind:invalid-template' diff --git a/.github/workflows/support.yaml b/.github/workflows/support.yaml index a607d42..e1dd441 100644 --- a/.github/workflows/support.yaml +++ b/.github/workflows/support.yaml @@ -10,7 +10,7 @@ jobs: support: runs-on: ubuntu-20.04 steps: - - uses: dessant/support-requests@v3 + - uses: dessant/support-requests@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} support-label: 'kind:support' From ef7abd293665d0b76366750c71332088ca144278 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Sun, 3 Dec 2023 13:04:12 +0000 Subject: [PATCH 27/30] ci(github-action)!: Update ubuntu to 22.04 | datasource | package | from | to | | -------------- | ------- | ----- | ----- | | github-runners | ubuntu | 20.04 | 22.04 | --- .github/workflows/invalid-template.yaml | 2 +- .github/workflows/support.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/invalid-template.yaml b/.github/workflows/invalid-template.yaml index d77a329..76ecc68 100644 --- a/.github/workflows/invalid-template.yaml +++ b/.github/workflows/invalid-template.yaml @@ -8,7 +8,7 @@ on: jobs: support: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: dessant/support-requests@v3 with: diff --git a/.github/workflows/support.yaml b/.github/workflows/support.yaml index a607d42..28c28a2 100644 --- a/.github/workflows/support.yaml +++ b/.github/workflows/support.yaml @@ -8,7 +8,7 @@ on: jobs: support: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: dessant/support-requests@v3 with: From 8f3ec18ef1c0362921552d57433839879fa0bfc1 Mon Sep 17 00:00:00 2001 From: Angel Nunez Mencias Date: Sun, 3 Dec 2023 14:33:02 +0100 Subject: [PATCH 28/30] Update renovate.json5 --- .github/renovate.json5 | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index f760a66..396f159 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -2,6 +2,7 @@ extends: [ "github>angelnu/renovate-config", "github>angelnu/renovate-config:automerge-github-actions", + "github>angelnu/renovate-config:automerge-docker", ], platform: "github", username: "angelnu-bot[bot]", From b43db9834e431d58af0120304fc46693f16b7654 Mon Sep 17 00:00:00 2001 From: "angelnu-bot[bot]" <115925344+angelnu-bot[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:04:09 +0000 Subject: [PATCH 29/30] fix(docker-image): update alpine docker tag to v3.18.5 by-angelnu-bot | datasource | package | from | to | | ---------- | ------- | ------ | ------ | | docker | alpine | 3.18.0 | 3.18.5 | --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ce90c6a..ac062c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.18.0@sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11 +FROM alpine:3.18.5@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0 WORKDIR / # iproute2 -> bridge From b9db2c10e7189d357e80806be0ca603e46c412af Mon Sep 17 00:00:00 2001 From: Angel Nunez Mencias Date: Sun, 3 Dec 2023 14:44:12 +0100 Subject: [PATCH 30/30] Comment VPN_INTERFACE_MTU --- config/settings.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/settings.sh b/config/settings.sh index 409c9f7..9929e40 100755 --- a/config/settings.sh +++ b/config/settings.sh @@ -48,3 +48,6 @@ IPTABLES_NFT=no # Set to WAN/VPN IP to enable SNAT instead of Masquerading SNAT_IP="" + +# Set the VPN MTU. It also adjust the VXLAN MTU to avoid fragmenting the package in the gateway (VXLAN-> MTU) +VPN_INTERFACE_MTU=""