From: Michael Tremer Date: Tue, 22 Apr 2025 17:59:43 +0000 (+0200) Subject: firewall: Actually create WireGuard rules X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3bcb69888eabf32ebfec10389cbb42eed8c91837;p=people%2Fms%2Fipfire-2.x.git firewall: Actually create WireGuard rules Signed-off-by: Michael Tremer --- diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl index bbdf122a6..79b3bb097 100644 --- a/config/cfgroot/wireguard-functions.pl +++ b/config/cfgroot/wireguard-functions.pl @@ -184,6 +184,7 @@ sub load_peer($) { "LOCAL_SUBNETS" => &decode_subnets($peers{$key}[10]), "PSK" => $peers{$key}[11], "KEEPALIVE" => $peers{$key}[12], + "INTERFACE" => ($type eq "host") ? "wg0" : "wg${key}", ); return \%peer; diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 92c1de957..1977be19f 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -385,6 +385,25 @@ sub get_address push(@ret, [$host_address, ""]); } + # WireGuard Peers + } elsif ($key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') { + my $peer = &Wireguard::get_peer_by_name($value); + if (defined $peer) { + my $remotes; + + # Select the remote IP addresses + if ($peer->{'TYPE'} eq 'host') { + $remotes = $peer->{'CLIENT_ADDRESS'}; + } elsif ($peer->{'TYPE'} eq 'net') { + $remotes = $peer->{'REMOTE_SUBNETS'}; + } + + # Add all remotes + foreach my $remote (@$remotes) { + push(@ret, [$remote, $peer->{'INTERFACE'}]); + } + } + # OpenVPN networks. } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) { my $network_address = &get_ovpn_net_ip($value, 1);