wireguard: Don't block RW peer traffic

author Michael Tremer <michael.tremer@ipfire.org>

Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)
author Michael Tremer <michael.tremer@ipfire.org>
Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard

index 7632d6114f3a0168f459266749c5acbdbd434411..9321b09c459a8f1b333fbcb1f74ae77945c380cf 100644 (file)
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -285,6 +285,12 @@ reload_firewall() {
  
         iptables -F WGBLOCK
  
+       # Don't block any traffic from Roadwarrior peers
+       if [ -n "${CLIENT_POOL}" ]; then
+               iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+               iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+       fi
+
         # Block all other traffic
         iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
  }
author	Michael Tremer <michael.tremer@ipfire.org>
	Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Fri, 25 Apr 2025 12:11:49 +0000 (14:11 +0200)