From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Apr 2025 12:11:49 +0000 (+0200)
Subject: wireguard: Don't block RW peer traffic
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4fa8b317d41fa5650ddcad5d42cdee1affc51e5;p=ipfire-2.x.git

wireguard: Don't block RW peer traffic

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 7632d6114..9321b09c4 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -285,6 +285,12 @@ reload_firewall() {
 
 	iptables -F WGBLOCK
 
+	# Don't block any traffic from Roadwarrior peers
+	if [ -n "${CLIENT_POOL}" ]; then
+		iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+		iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+	fi
+
 	# Block all other traffic
 	iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
 }