linuxserver · Sep 9, 2021 · Sep 9, 2021 · Sep 9, 2021 · Sep 10, 2021 · Sep 10, 2021
diff --git a/.dockerignore b/.dockerignore
@@ -1,6 +1,124 @@
 .git
 .gitignore
 .github
-.gitattributes
-READMETEMPLATE.md
 README.md
+LICENSE
+
+### macOS template
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+.idea
+
+# CMake
+cmake-build-*/
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### VisualStudioCode template
+.vscode
+
+# Local History for Visual Studio Code
+.history/
+
+### Windows template
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+### Linux template
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### Vim template
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
diff --git a/.editorconfig b/.editorconfig
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -1,3 +1,2 @@
-github: linuxserver
-open_collective: linuxserver
-custom: ["https://www.wireguard.com/donations/",]
+github: [bubuntux]
+custom: ["https://www.wireguard.com/donations/","https://www.linuxserver.io/donate"]
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,34 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug, help wanted
+assignees: ''
+---
+##### :warning: Make sure to follow the template, troubleshoot on your own first, review [Open/Closed Issues](https://github.com/bubuntux/nordlynx/issues), [Discussions](https://github.com/bubuntux/nordlynx/discussions), [Wiki](https://github.com/bubuntux/nordlynx/wiki) and consider creating a discussion thread instead. :warning:
+
+### **Describe the bug**
+A clear and concise description of what the bug is.
+
+### **To Reproduce using docker CLI**
+Full command needs to be provided (hide credentials)
+`docker run ... bubuntux/nordlynx `
+
+### **To Reproduce using docker-compose**
+docker-compose.yml if used  (hide credentials)
+```
+version: '3'
+services:
+  vpn:
+    image: bubuntux/nordlynx
+  ...
+```
+
+### **Expected behavior**
+A clear and concise description of what you expected to happen and a simple way for someone else to test it.
+
+### **Logs**
+Focus on errors or warnings messages, if not available post entire logs
+
+### **Additional context**
+Distribution used, versions, architecture and any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,13 +1 @@
 blank_issues_enabled: false
-contact_links:
-  - name: Discord chat support
-    url: https://discord.gg/YWrKVTn
-    about: Realtime support / chat with the community and the team.
-
-  - name: Discourse discussion forum
-    url: https://discourse.linuxserver.io
-    about: Post on our community forum.
-
-  - name: Documentation
-    url: https://docs.linuxserver.io/images/docker-wireguard
-    about: Documentation - information about all of our containers.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement, help wanted
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.github/ISSUE_TEMPLATE/issue.bug.md b/.github/ISSUE_TEMPLATE/issue.bug.md
diff --git a/.github/ISSUE_TEMPLATE/issue.feature.md b/.github/ISSUE_TEMPLATE/issue.feature.md
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml
@@ -0,0 +1,51 @@
+name: Docker Image CI
+
+on:
+  schedule:
+    - cron: '4 20 1 * 4'
+  push:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log into DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log into GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get Tags
+        id: meta
+        run: |
+          tags="ghcr.io/${{ github.repository }}:edge,${{ github.repository }}:edge"
+          if [[ $(date '+%d') == 01 || "${{ github.event_name }}" == "push" ]]; then
+            tags="${tags},ghcr.io/${{ github.repository }}:latest,${{ github.repository }}:latest,\
+                  ghcr.io/${{ github.repository }}:$(date '+%Y-%m-%d'),${{ github.repository }}:$(date '+%Y-%m-%d')"
+          fi
+          echo "::set-output name=tags::${tags}"
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml
diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -2,22 +2,13 @@ name: Mark stale issues and pull requests
 
 on:
   schedule:
-  - cron: "30 1 * * *"
+    - cron: "6 9 * * *"
 
 jobs:
   stale:
-
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/stale@v3
-      with:
-        stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
-        stale-issue-label: 'no-issue-activity'
-        stale-pr-label: 'no-pr-activity'
-        days-before-stale: 30
-        days-before-close: 365
-        exempt-issue-labels: 'awaiting-approval,work-in-progress'
-        exempt-pr-labels: 'awaiting-approval,work-in-progress'
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/stale@v4
+        with:
+          stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
+          stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions."
diff --git a/.gitignore b/.gitignore
@@ -1,44 +1,119 @@
-# Windows image file caches
+### macOS template
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+.idea
+
+# CMake
+cmake-build-*/
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### VisualStudioCode template
+.vscode
+
+# Local History for Visual Studio Code
+.history/
+
+### Windows template
+# Windows thumbnail cache files
 Thumbs.db
+Thumbs.db:encryptable
 ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
 
 # Folder config file
-Desktop.ini
+[Dd]esktop.ini
 
 # Recycle Bin used on file shares
 $RECYCLE.BIN/
 
 # Windows Installer files
 *.cab
 *.msi
+*.msix
 *.msm
 *.msp
 
 # Windows shortcuts
 *.lnk
 
-# =========================
-# Operating System Files
-# =========================
+### Linux template
+*~
 
-# OSX
-# =========================
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
 
-.DS_Store
-.AppleDouble
-.LSOverride
+# KDE directory preferences
+.directory
 
-# Thumbnails
-._*
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
 
-# Files that might appear on external disk
-.Spotlight-V100
-.Trashes
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### Vim template
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
 
-# Directories potentially created on remote AFP share
-.AppleDB
-.AppleDesktop
-Network Trash Folder
-Temporary Items
-.apdisk
-.jenkins-external
diff --git a/Dockerfile b/Dockerfile
@@ -1,65 +1,17 @@
-FROM ghcr.io/linuxserver/baseimage-ubuntu:bionic
+FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me"
 
-# set version label
-ARG BUILD_DATE
-ARG VERSION
-ARG WIREGUARD_RELEASE
-LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="aptalca"
+HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1
 
-ENV DEBIAN_FRONTEND="noninteractive"
-
-RUN \
- echo "**** install dependencies ****" && \
- apt-get update && \
- apt-get install -y --no-install-recommends \
-	bc \
-	build-essential \
-	curl \
-	dkms \
-	git \
-	gnupg \ 
-	ifupdown \
-	iproute2 \
-	iptables \
-	iputils-ping \
-	jq \
-	libc6 \
-	libelf-dev \
-	net-tools \
-	openresolv \
-	perl \
-	pkg-config \
-	qrencode && \
- echo "**** install wireguard-tools ****" && \
- if [ -z ${WIREGUARD_RELEASE+x} ]; then \
-	WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \
-	| jq -r .[0].name); \
- fi && \
- cd /app && \
- git clone https://git.zx2c4.com/wireguard-linux-compat && \
- git clone https://git.zx2c4.com/wireguard-tools && \
- cd wireguard-tools && \
- git checkout "${WIREGUARD_RELEASE}" && \
- make -C src -j$(nproc) && \
- make -C src install && \
- echo "**** install CoreDNS ****" && \
- COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \
-	| awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \
- curl -o \
-	/tmp/coredns.tar.gz -L \
-	"https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" && \
- tar xf \
-	/tmp/coredns.tar.gz -C \
-	/app && \
- echo "**** clean up ****" && \
- rm -rf \
-	/tmp/* \
-	/var/lib/apt/lists/* \
-	/var/tmp/*
-
-# add local files
 COPY /root /
-
-# ports and volumes
-EXPOSE 51820/udp
+RUN apk add --no-cache -U iptables ip6tables iptables-legacy wireguard-tools curl jq patch && \
+    patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \
+    apk del --purge patch && \
+    rm -rf /tmp/* /patch && \
+    cd /sbin && \
+    for i in ! !-save !-restore; do \
+        rm -rf iptables$(echo "${i}" | cut -c2-) && \
+        rm -rf ip6tables$(echo "${i}" | cut -c2-) && \
+        ln -s iptables-legacy$(echo "${i}" | cut -c2-) iptables$(echo "${i}" | cut -c2-) && \
+        ln -s ip6tables-legacy$(echo "${i}" | cut -c2-) ip6tables$(echo "${i}" | cut -c2-); \
+    done
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
diff --git a/Jenkinsfile b/Jenkinsfile
diff --git a/README.md b/README.md
diff --git a/jenkins-vars.yml b/jenkins-vars.yml
diff --git a/package_versions.txt b/package_versions.txt
diff --git a/readme-vars.yml b/readme-vars.yml
diff --git a/root/app/add-peer b/root/app/add-peer
diff --git a/root/app/show-peer b/root/app/show-peer
diff --git a/root/defaults/Corefile b/root/defaults/Corefile
diff --git a/root/defaults/peer.conf b/root/defaults/peer.conf
diff --git a/root/defaults/server.conf b/root/defaults/server.conf
diff --git a/root/donate.txt b/root/donate.txt
@@ -1 +1,2 @@
-WireGuard: https://www.wireguard.com/donations/
+Bubuntux: https://github.com/sponsors/bubuntux
+WireGuard: https://www.wireguard.com/donations/
diff --git a/root/etc/cont-init.d/00-firewall b/root/etc/cont-init.d/00-firewall
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+ip6tables -P OUTPUT DROP 2>/dev/null
+ip6tables -P INPUT DROP 2>/dev/null
+ip6tables -P FORWARD DROP 2>/dev/null
+
+echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn"
diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate
@@ -0,0 +1,19 @@
+#!/usr/bin/with-contenv bash
+
+ip link del dev test 2>/dev/null
+if ip link add dev test type wireguard; then
+  ip link del dev test
+else
+  echo "[$(date -Iseconds)] The wireguard module is not active, try \`docker run --rm --cap-add=NET_ADMIN --cap-add=SYS_MODULE -v /lib/modules:/lib/modules bubuntux/install-wireguard\` to install it or follow the proper instructions from https://www.wireguard.com/install/ to manually install it."
+  sleep infinity
+fi
+
+if ! iptables -L > /dev/null 2>&1; then
+  echo "[$(date -Iseconds)] iptables is not functional. Ensure your container config adds --cap-add=NET_RAW" 
+  sleep infinity
+fi
+
+if [[ -z ${PRIVATE_KEY} ]] && [[ -z ${PRIVATE_KEY_FILE} ]] ; then
+  echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX bubuntux/nordvpn:get_private_key\` with access token or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key."
+  sleep infinity
+fi
diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet
@@ -0,0 +1,55 @@
+#!/usr/bin/with-contenv bash
+
+network_found=false
+iface=${INTERFACE:-eth0}
+interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1))
+no_connenction_retry=${NO_CONNECTION_RETRY:-5}
+if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then
+    interfaces+=("$iface")
+fi
+for interface in "${interfaces[@]}"; do
+  inet="$(ip -o addr show dev "${interface}" | awk '$3 == "inet" {print $4}')"
+  if [[ -z "$inet" ]]; then
+    continue
+  fi
+  if [ "$network_found" = false ]; then
+    iptables -F
+    iptables -X
+  fi
+  echo "[$(date -Iseconds)] Enabling connection to ${interface} ${inet}"
+  iptables -A INPUT -i "$interface" -s "${inet}" -j ACCEPT
+  iptables -A OUTPUT -o "$interface" -d "${inet}" -j ACCEPT
+  iptables -A FORWARD -i "$interface" -d "${inet}" -j ACCEPT
+  iptables -A FORWARD -i "$interface" -s "${inet}" -j ACCEPT
+  network_found=true
+done
+
+if [ "$network_found" = false ]; then
+  echo "[$(date -Iseconds)] No interface network detected"
+  exit
+fi
+
+echo "[$(date -Iseconds)] Enabling connection to secure interfaces"
+
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A FORWARD -i lo -j ACCEPT
+
+iptables -A OUTPUT -o wg+ -j ACCEPT
+iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
+
+iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT
+while true; do
+  iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT\
+    || {
+      echo "Seems like we have no internet connection. Retrying in $no_connenction_retry seconds..."
+      sleep ${no_connenction_retry}
+      continue
+    }
+  break
+done
diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6
@@ -0,0 +1,55 @@
+#!/usr/bin/with-contenv bash
+
+network_found=false
+iface=${INTERFACE:-eth0}
+interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1))
+no_connenction_retry=${NO_CONNECTION_RETRY:-5}
+if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then
+    interfaces+=("$iface")
+fi
+for interface in "${interfaces[@]}"; do
+  inet="$(ip -o addr show dev "${interface}" | awk '$3 == "inet6" {print $4; exit}')"
+  if [[ -z "$inet" ]]; then
+    continue
+  fi
+  if [ "$network_found" = false ]; then
+    ip6tables -F
+    ip6tables -X
+  fi
+  echo "[$(date -Iseconds)] Enabling connection to ${interface} ${inet}"
+  ip6tables -A INPUT -i "$interface" -s "${inet}" -j ACCEPT
+  ip6tables -A OUTPUT -o "$interface" -d "${inet}" -j ACCEPT
+  ip6tables -A FORWARD -i "$interface" -d "${inet}" -j ACCEPT
+  ip6tables -A FORWARD -i "$interface" -s "${inet}" -j ACCEPT
+  network_found=true
+done
+
+if [ "$network_found" = false ]; then
+  echo "[$(date -Iseconds)] No interface network6 detected"
+  exit
+fi
+
+echo "[$(date -Iseconds)] Enabling connection to secure interfaces"
+
+ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+ip6tables -A FORWARD -i lo -j ACCEPT
+
+ip6tables -A OUTPUT -o wg+ -j ACCEPT
+ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
+
+ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT
+ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT
+while true; do
+  ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT\
+    || {
+      echo "Seems like we have no internet connection. Retrying in $no_connenction_retry seconds..."
+      sleep ${no_connenction_retry}
+      continue
+    }
+  break
+done
diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
diff --git a/root/etc/cont-init.d/30-route b/root/etc/cont-init.d/30-route
@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bash
+
+[[ -n ${NETWORK} && -z ${NET_LOCAL} ]] && NET_LOCAL=${NETWORK}
+if [ -n "$NET_LOCAL" ]; then
+   iface=${INTERFACE:-eth0}
+   gw="$(ip route | awk '/default/{print $3}')"
+   for net in ${NET_LOCAL//[;,]/ }; do
+     echo "[$(date -Iseconds)] Enabling connection to network ${net}"
+      ip route | grep -q "$net" || ip route add "$net" via "$gw" dev "$iface"
+      iptables -A INPUT   -i "$iface" -s "$net" -j ACCEPT
+      iptables -A OUTPUT  -o "$iface" -d "$net" -j ACCEPT
+      iptables -A FORWARD -i "$iface" -d "$net" -j ACCEPT
+      iptables -A FORWARD -i "$iface" -s "$net" -j ACCEPT
+  done
+fi
diff --git a/root/etc/cont-init.d/30-route6 b/root/etc/cont-init.d/30-route6
@@ -0,0 +1,15 @@
+#!/usr/bin/with-contenv bash
+
+[[ -n ${NETWORK6} && -z ${NET6_LOCAL} ]] && NET6_LOCAL=${NETWORK6}
+if [ -n "$NET6_LOCAL" ]; then
+   iface=${INTERFACE:-eth0}
+   gw="$(ip -6 route | awk '/default/{print $3}')"
+   for net in ${NET6_LOCAL//[;,]/ }; do
+      echo "[$(date -Iseconds)] Enabling connection to network ${net}"
+      ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev "$iface"
+      ip6tables -A INPUT   -i "$iface" -s "$net" -j ACCEPT
+      ip6tables -A OUTPUT  -o "$iface" -d "$net" -j ACCEPT
+      ip6tables -A FORWARD -i "$iface" -d "$net" -j ACCEPT
+      ip6tables -A FORWARD -i "$iface" -s "$net" -j ACCEPT
+  done
+fi
diff --git a/root/etc/cont-init.d/40-allowlist b/root/etc/cont-init.d/40-allowlist
@@ -0,0 +1,11 @@
+#!/usr/bin/with-contenv bash
+
+[[ -n ${WHITELIST} && -z ${ALLOW_LIST} ]] && ALLOW_LIST=${WHITELIST}
+if [[ -n ${ALLOW_LIST} ]]; then
+  for domain in ${ALLOW_LIST//[;,]/ }; do
+    domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//')
+    echo "[$(date -Iseconds)] Enabling connection to host ${domain}"
+    iptables  -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null
+    ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null
+  done
+fi
diff --git a/root/etc/services.d/coredns/run b/root/etc/services.d/coredns/run
diff --git a/root/etc/services.d/wireguard/finish b/root/etc/services.d/wireguard/finish
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+echo "[$(date -Iseconds)] Connection summary:"
+wg show wg0
+wg-quick down wg0
+rm -f /etc/wireguard/wg0.conf
diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run
@@ -1,14 +1,64 @@
 #!/usr/bin/with-contenv bash
 
-_term() {
-  echo "Caught SIGTERM signal!"
-  wg-quick down wg0
-}
+if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then
+  echo "[$(date -Iseconds)] Finding the best server..."
+  api_url="https://api.nordvpn.com/v1/servers/recommendations?filters"
+  technology_filter="\[servers_technologies\]\[identifier\]=wireguard_udp"
+
+  # Get the country code from the country name (if provided) and add it to the API URL as a filter
+  if [[ -n ${COUNTRY_CODE} ]]; then
+    country_id=$(curl --silent "https://api.nordvpn.com/v1/servers/countries" | jq --raw-output ".[] | select(.code == \"${COUNTRY_CODE}\") | [.name, .id] | \"\(.[1])\"")
+    echo "[$(date -Iseconds)] Country ID: ${country_id}"
+    country_filter="\[country_id\]=${country_id}"
+    api_url="${api_url}${country_filter}&${technology_filter}"
+    echo "[$(date -Iseconds)] API URL: ${api_url}"
+  else
+    api_url="${api_url}${technology_filter}"
+  fi
 
-trap _term SIGTERM
+  recommendations=$(curl --retry 3 -LsS "${api_url}&${QUERY}&limit=1")
+  server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}")
+  echo "[$(date -Iseconds)] Server: ${server}"
+  if [[ -z ${server} ]]; then
+    echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯"
+    sleep infinity
+  fi
+#   echo "[$(date -Iseconds)] Using server: ${server}"
+  if [[ -z ${PUBLIC_KEY} ]]; then
+    PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}")
+  fi
+  if [[ -z ${END_POINT} ]]; then
+    END_POINT=$(jq -r '.[0].hostname' <<< "${recommendations}"):51820
+  fi
+fi
 
-wg-quick up wg0
+[[ -z "${PRIVATE_KEY}" ]] && [[ -f "${PRIVATE_KEY_FILE}" ]] && PRIVATE_KEY="$(head -n 1 "${PRIVATE_KEY_FILE}")"
 
-sleep infinity &
+( umask 077 && { cat >/etc/wireguard/wg0.conf <<-EOF
+[Interface]
+PrivateKey = ${PRIVATE_KEY}
+ListenPort = ${LISTEN_PORT:-51820}
+Address = ${ADDRESS:-10.5.0.2/32}
+DNS = ${DNS:-103.86.96.100,103.86.99.100}
+Table = ${TABLE}
+PreUp = ${PRE_UP}
+PostUp = ${POST_UP}
+PreDown = ${PRE_DOWN}
+PostDown = ${POST_DOWN}
 
-wait
+[Peer]
+Endpoint = ${END_POINT}
+PublicKey = ${PUBLIC_KEY}
+AllowedIPs = ${ALLOWED_IPS:-0.0.0.0/0}
+PersistentKeepalive = ${PERSISTENT_KEEP_ALIVE:-25}
+EOF
+} && sync )
+
+echo "[$(date -Iseconds)] Connecting..."
+wg-quick up wg0 
+echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/"
+
+if [[ -n ${RECONNECT} ]]; then
+  echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds"
+fi
+sleep "${RECONNECT:-infinity}"
diff --git a/root/etc/services.d/wireguard/type b/root/etc/services.d/wireguard/type
@@ -0,0 +1 @@
+longrun
diff --git a/root/patch/wg-quick.patch b/root/patch/wg-quick.patch
@@ -0,0 +1,11 @@
+--- /usr/bin/wg-quick	2020-04-10 15:58:25.000000000 -0700
++++ /usr/bin/wg-quick	2020-04-10 15:58:48.000000000 -0700
+@@ -232,7 +232,7 @@
+ 	printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker"
+ 	printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table
+ 	printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
+-	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
++#	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
+ 	if type -p nft >/dev/null; then
+ 		cmd nft -f <(echo -n "$nftcmd")
+ 	else