wireguard: Automatically apply MASQUERADE for peers with local address

In this case we are the client and we cannot leak any local subnets.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index c6e3e96716b833f165a5b636a99140029b130c29..0d5bb0061514428aa2a428e89a223f2acabeb9ca 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -220,6 +220,10 @@ iptables_init() {
        iptables -A INPUT   -i wg+ -j WGBLOCK
        iptables -A FORWARD -i wg+ -j WGBLOCK
 
+       # NAT for WireGuard peers
+       iptables -t nat -N WGNAT
+       iptables -t nat -A POSTROUTING -j WGNAT
+
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
        iptables -A INPUT   -i tun+ -j OVPNBLOCK

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index d8c869b9d6841c72b093731122f6c85e6a705aa6..ac7438a24840cd5960a1928938282e67e05f1085 100644 (file)
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -212,6 +212,9 @@ generate_config() {
                # Assign the local address
                if [ -n "${local_address}" ]; then
                        ip addr add "${local_address}" dev "${intf}"
+
+                       # Apply MASQUERADE
+                       iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
                fi
 
                echo "[Interface]"
@@ -287,6 +290,7 @@ generate_config() {
 reload_firewall() {
        # Flush all previous rules
        iptables -F WGINPUT
+       iptables -t nat -F WGNAT
 
        if [ "${ENABLED}" = "on" ]; then
                iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT