fix: remove sysctls from host network container and apply them to host OS

2026-03-08 15:01:48 +07:00 · 2026-03-08 15:01:48 +07:00 · 2cbaab23c5
commit 2cbaab23c5
parent 9eeb3f7c7d
2 changed files with 20 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -45,8 +45,6 @@ docker run -d \
  --name npm-wg \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
-  --sysctl net.ipv4.ip_forward=1 \
-  --sysctl net.ipv4.conf.all.src_valid_mark=1 \
  --network host \
  -v npm-wg-data:/data \
  -v npm-wg-letsencrypt:/etc/letsencrypt \
@ -67,9 +65,6 @@ services:
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
    network_mode: "host"
    volumes:
      - data:/data
--- a/install.sh
+++ b/install.sh
@ -128,6 +128,22 @@ install_deps() {
    log_ok "All system dependencies are ready."
 }

+# -----------------------------------------------------------
+#  x. Apply sysctls to Host (For WireGuard in Host Network Mode)
+# -----------------------------------------------------------
+apply_sysctls_to_host() {
+    log_step "Applying required sysctl network parameters to host..."
+    sysctl -w net.ipv4.ip_forward=1 >/dev/null 2>&1
+    sysctl -w net.ipv4.conf.all.src_valid_mark=1 >/dev/null 2>&1
+
+    # Persist sysctls if they don't already exist
+    if [ -f /etc/sysctl.conf ]; then
+        grep -q 'net.ipv4.ip_forward=1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+        grep -q 'net.ipv4.conf.all.src_valid_mark=1' /etc/sysctl.conf || echo 'net.ipv4.conf.all.src_valid_mark=1' >> /etc/sysctl.conf
+    fi
+    log_ok "Host network parameters configured."
+}
+
 # -----------------------------------------------------------
 #  x. Generate docker-compose.yml
 # -----------------------------------------------------------
@ -148,9 +164,6 @@ services:
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
    network_mode: "host"
    volumes:
      - ./data:/data
@ -208,6 +221,9 @@ do_install() {
    mkdir -p "$INSTALL_DIR"
    log_ok "Directory created."

+    # --- Apply Sysctls ---
+    apply_sysctls_to_host
+
    # --- Write docker-compose.yml ---
    generate_docker_compose "$wg_host"

@ -376,6 +392,7 @@ do_update() {
        log_warn "Could not extract WG_HOST. Using ${current_wg_host}."
    fi

+    apply_sysctls_to_host
    generate_docker_compose "$current_wg_host"

    log_step "Pulling latest image..."