From f4fa8b317d41fa5650ddcad5d42cdee1affc51e5 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 25 Apr 2025 14:11:49 +0200
Subject: [PATCH] wireguard: Don't block RW peer traffic

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/wireguard | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 7632d6114..9321b09c4 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -285,6 +285,12 @@ reload_firewall() {
 
 	iptables -F WGBLOCK
 
+	# Don't block any traffic from Roadwarrior peers
+	if [ -n "${CLIENT_POOL}" ]; then
+		iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+		iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+	fi
+
 	# Block all other traffic
 	iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
 }
-- 
2.39.5