From 53443e304a1e361f2f236fa56ee95cb7280490cd Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed, 25 Jun 2025 09:29:27 -0700
Subject: [PATCH] wireguard: Block unauthorized traffic

commit 89b976e9a7e4da13b82de4aadadb63ffaf3031a6
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Thu Apr 25 20:32:57 2024 +0200

    wireguard: Block unauthorized traffic

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/firewall | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 78986fdbf..d0b5886b3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -217,6 +217,11 @@ iptables_init() {
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
 	iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
 
+	# Block unauthorized WireGuard traffic
+	ipatbles -N WGBLOCK
+	iptables -A INPUT   -i wg+ -j WGBLOCK
+	iptables -A FORWARD -i wg+ -j WGBLOCK
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK