firewall: Automatically open ports for WireGuard

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6befa9fc39147628e8a6381f6f027bbc430eecbe..b7e8a9cda7e846670bc6349101ee11e4eab9bed3 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -319,6 +319,10 @@ iptables_init() {
        iptables -N WIRELESSFORWARD
        iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
 
+       # WireGuard
+       iptables -N WGINPUT
+       iptables -A INPUT -j WGINPUT
+
        # OpenVPN
        iptables -N OVPNINPUT
        iptables -A INPUT -j OVPNINPUT

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 42428aee01f41c6f81e6b4412f87c9f4ab97d5b5..2ad6b9fe26e28ec82b08814ee57b4b521bf924bc 100644 (file)
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -78,7 +78,19 @@ generate_config() {
        done < /var/ipfire/wireguard/peers
 }
 
+reload_firewall() {
+       # Flush all previous rules
+       iptables -F WGINPUT
+
+       if [ "${ENABLED}" = "on" ]; then
+               iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
+       fi
+}
+
 wg_start() {
+       # Reload the firewall
+       reload_firewall
+
        # Create the interface if it does not exist
        if [ ! -d "/sys/class/net/${INTF}" ]; then
                ip link add "${INTF}" type wireguard || return $?
@@ -99,6 +111,9 @@ wg_start() {
 }
 
 wg_stop() {
+       # Reload the firewall
+       ENABLED=off reload_firewall
+
        if [ -d "/sys/class/net/${INTF}" ]; then
                ip link del "${INTF}" || return $?
        fi