From 89b976e9a7e4da13b82de4aadadb63ffaf3031a6 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 25 Apr 2024 20:32:57 +0200
Subject: [PATCH] wireguard: Block unauthorized traffic

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall  |  5 +++++
 src/initscripts/system/wireguard | 21 ++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index b7e8a9cda..457d69dde 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -215,6 +215,11 @@ iptables_init() {
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
 	iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
 
+	# Block unauthorized WireGuard traffic
+	ipatbles -N WGBLOCK
+	iptables -A INPUT   -i wg+ -j WGBLOCK
+	iptables -A FORWARD -i wg+ -j WGBLOCK
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index daadcb73b..0de356613 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -51,7 +51,11 @@ generate_config() {
 	local keepalive
 	local _rest
 
-	local subnet
+	local local_subnet
+	local remote_subnet
+
+	# Flush firewall rules
+	iptables -F WGBLOCK
 
 	# Flush all previously set routes
 	ip route flush dev "${INTF}"
@@ -85,8 +89,8 @@ generate_config() {
 
 			# Apply the routes
 			if [ "${type}" = "net" ]; then
-				for subnet in ${remote_subnets//|/,}; do
-					ip route add "${subnet}" dev "${INTF}"
+				for remote_subnet in ${remote_subnets//|/,}; do
+					ip route add "${remote_subnet}" dev "${INTF}"
 				done
 			fi
 		fi
@@ -95,7 +99,18 @@ generate_config() {
 		if [ -n "${keepalive}" ]; then
 			echo "PersistentKeepalive = ${keepalive}"
 		fi
+
+		# Set blocking rules
+		for local_subnet in ${local_subnets//|/ }; do
+			for remote_subnet in ${remote_subnets//|/ }; do
+				iptables -A WGBLOCK \
+					-s "${remote_subnet}" -d "${local_subnet}" -j RETURN
+			done
+		done
 	done < /var/ipfire/wireguard/peers
+
+	# Block all other traffic
+	iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
 }
 
 reload_firewall() {
-- 
2.39.5