From fc32e7b9147d2eeeb6e2bc1497859fb050001eb5 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 16 Apr 2024 16:20:55 +0200
Subject: [PATCH] firewall: Automatically open ports for WireGuard

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall  |  4 ++++
 src/initscripts/system/wireguard | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6befa9fc3..b7e8a9cda 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -319,6 +319,10 @@ iptables_init() {
 	iptables -N WIRELESSFORWARD
 	iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
 
+	# WireGuard
+	iptables -N WGINPUT
+	iptables -A INPUT -j WGINPUT
+
 	# OpenVPN
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 42428aee0..2ad6b9fe2 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -78,7 +78,19 @@ generate_config() {
 	done < /var/ipfire/wireguard/peers
 }
 
+reload_firewall() {
+	# Flush all previous rules
+	iptables -F WGINPUT
+
+	if [ "${ENABLED}" = "on" ]; then
+		iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
+	fi
+}
+
 wg_start() {
+	# Reload the firewall
+	reload_firewall
+
 	# Create the interface if it does not exist
 	if [ ! -d "/sys/class/net/${INTF}" ]; then
 		ip link add "${INTF}" type wireguard || return $?
@@ -99,6 +111,9 @@ wg_start() {
 }
 
 wg_stop() {
+	# Reload the firewall
+	ENABLED=off reload_firewall
+
 	if [ -d "/sys/class/net/${INTF}" ]; then
 		ip link del "${INTF}" || return $?
 	fi
-- 
2.39.5