diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl index e6b5e08ba..763129262 100644 --- a/config/cfgroot/wireguard-functions.pl +++ b/config/cfgroot/wireguard-functions.pl @@ -344,6 +344,9 @@ sub free_pool_addresses($$) { my @used_addresses = (); my @free_addresses = (); + # wg0 IP is reserved so put in @used_addresses + push(@used_addresses, &Network::ip2bin($settings{'ADDRESS'})); + # Collect all used addresses foreach my $key (keys %peers) { my $peer = &load_peer($key); diff --git a/html/cgi-bin/wireguard.cgi b/html/cgi-bin/wireguard.cgi index b47ae1bc0..26f7b97fb 100644 --- a/html/cgi-bin/wireguard.cgi +++ b/html/cgi-bin/wireguard.cgi @@ -87,6 +87,21 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) { $Wireguard::settings{'CLIENT_DNS'} = join("|", @client_dns); } + # Check wg0 ADDRESS - make it optional + if (defined $cgiparams{'ADDRESS'}) { + if ($cgiparams{'ADDRESS'} ne '') { + my $address = $cgiparams{'ADDRESS'}; + unless (&Network::check_ip_address($address)) { + push(@errormessages, "$Lang::tr{'wg invalid wg0 address'}: ${address}"); + } + # Store ADDRESS only if it's valid and not empty + $Wireguard::settings{'ADDRESS'} = $address; + } else { + # Explicitly set to empty string when field is empty + $Wireguard::settings{'ADDRESS'} = ''; + } + } + # Don't continue on error goto MAIN if (scalar @errormessages); @@ -805,14 +820,21 @@ MAIN: - $Lang::tr{'wg endpoint'} + $Lang::tr{'wg endpoint'} * + + $Lang::tr{'wg address'} + + + + + - $Lang::tr{'port'} + $Lang::tr{'port'} * @@ -824,7 +846,7 @@ MAIN: - + - +
$Lang::tr{'wg client pool'}$Lang::tr{'wg client pool'} * @@ -832,7 +854,7 @@ MAIN:
$Lang::tr{'wg dns'}$Lang::tr{'wg dns'} * diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b39df6f17..2d2ea9e82 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3125,6 +3125,8 @@ 'week-graph' => 'Week', 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', +'wg' => 'WireGuard', +'wg address' => 'Address', 'wg client configuration file' => 'WireGuard Client Configuration File', 'wg client pool' => 'Client Pool', 'wg create host-to-net peer' => 'Create A New Host-To-Net Peer', @@ -3149,6 +3151,7 @@ 'wg invalid psk' => 'Invalid pre-shared key', 'wg invalid public key' => 'Invalid public key', 'wg invalid remote subnet' => 'Invalid remote subnet', +'wg invalid wg0 address' => 'Invalid wg0 IP', 'wg keepalive interval' => 'Keepalive Interval', 'wg leave empty to automatically select' => 'Leave empty to automatically select', 'wg missing allowed ips' => 'Missing AllowedIPs', diff --git a/langs/zh/cgi-bin/zh.pl b/langs/zh/cgi-bin/zh.pl index aac01d48e..0d86d4638 100644 --- a/langs/zh/cgi-bin/zh.pl +++ b/langs/zh/cgi-bin/zh.pl @@ -3072,6 +3072,7 @@ 'weekly firewallhits' => '防火墙命中(每周)', 'weeks' => '周', 'wg' => 'WireGuard', +'wg address' => 'IP地址', 'wg client configuration file' => 'WireGuard客户端配置文件', 'wg client pool' => '客户端地址池', 'wg create host-to-net peer' => '创建新的主机对网络节点', @@ -3096,6 +3097,7 @@ 'wg invalid psk' => '无效的预共享密钥', 'wg invalid public key' => '无效的公钥', 'wg invalid remote subnet' => '无效的远程子网', +'wg invalid wg0 address' => '无效的 wg0 IP 地址', 'wg keepalive interval' => 'Keepalive间隔', 'wg leave empty to automatically select' => '留空以自动选择', 'wg missing allowed ips' => '缺少AllowedIPs', diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard index caaa69cb9..07c501bf8 100644 --- a/src/initscripts/system/wireguard +++ b/src/initscripts/system/wireguard @@ -73,6 +73,17 @@ setup_interface() { ip link set "${intf}" mtu "${MTU}" || return $? fi + # Set up IP on wg0 + if interface_is_rw "${intf}"; then + ip a add "${ADDRESS}" dev "${intf}" + # Allow SSH/WUI from VPN road warrior to manage the firewall + iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT + iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 444 -j ACCEPT + # Apply MASQUERADE + iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE + + fi + # Load the configuration into the kernel wg syncconf "${intf}" <(generate_config "${intf}") || return $?