From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 26 Apr 2025 12:30:44 +0000 (+0200)
Subject: wireguard: Automatically apply MASQUERADE for peers with local address
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=459bb750298c09990c0c8d4677f0f442887304d0;p=people%2Fms%2Fipfire-2.x.git

wireguard: Automatically apply MASQUERADE for peers with local address

In this case we are the client and we cannot leak any local subnets.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index c6e3e9671..0d5bb0061 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -220,6 +220,10 @@ iptables_init() {
 	iptables -A INPUT   -i wg+ -j WGBLOCK
 	iptables -A FORWARD -i wg+ -j WGBLOCK
 
+	# NAT for WireGuard peers
+	iptables -t nat -N WGNAT
+	iptables -t nat -A POSTROUTING -j WGNAT
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index d8c869b9d..ac7438a24 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -212,6 +212,9 @@ generate_config() {
 		# Assign the local address
 		if [ -n "${local_address}" ]; then
 			ip addr add "${local_address}" dev "${intf}"
+
+			# Apply MASQUERADE
+			iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
 		fi
 
 		echo "[Interface]"
@@ -287,6 +290,7 @@ generate_config() {
 reload_firewall() {
 	# Flush all previous rules
 	iptables -F WGINPUT
+	iptables -t nat -F WGNAT
 
 	if [ "${ENABLED}" = "on" ]; then
 		iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT