From c7e72c51bfdd7cd6af1a935f64349ab955cec424 Mon Sep 17 00:00:00 2001 From: Vincent Li Date: Sun, 20 Jul 2025 23:40:09 +0000 Subject: [PATCH] wireguard: add IP on road warrior interface wg0 Choose one IP from client pool and add it to road warrior interface wg0 so road warrior VPN client could reach firewall through the VPN Signed-off-by: Vincent Li --- config/cfgroot/wireguard-functions.pl | 3 +++ html/cgi-bin/wireguard.cgi | 30 +++++++++++++++++++++++---- langs/en/cgi-bin/en.pl | 3 +++ langs/zh/cgi-bin/zh.pl | 2 ++ src/initscripts/system/wireguard | 11 ++++++++++ 5 files changed, 45 insertions(+), 4 deletions(-) diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl index e6b5e08ba..763129262 100644 --- a/config/cfgroot/wireguard-functions.pl +++ b/config/cfgroot/wireguard-functions.pl @@ -344,6 +344,9 @@ sub free_pool_addresses($$) { my @used_addresses = (); my @free_addresses = (); + # wg0 IP is reserved so put in @used_addresses + push(@used_addresses, &Network::ip2bin($settings{'ADDRESS'})); + # Collect all used addresses foreach my $key (keys %peers) { my $peer = &load_peer($key); diff --git a/html/cgi-bin/wireguard.cgi b/html/cgi-bin/wireguard.cgi index b47ae1bc0..26f7b97fb 100644 --- a/html/cgi-bin/wireguard.cgi +++ b/html/cgi-bin/wireguard.cgi @@ -87,6 +87,21 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) { $Wireguard::settings{'CLIENT_DNS'} = join("|", @client_dns); } + # Check wg0 ADDRESS - make it optional + if (defined $cgiparams{'ADDRESS'}) { + if ($cgiparams{'ADDRESS'} ne '') { + my $address = $cgiparams{'ADDRESS'}; + unless (&Network::check_ip_address($address)) { + push(@errormessages, "$Lang::tr{'wg invalid wg0 address'}: ${address}"); + } + # Store ADDRESS only if it's valid and not empty + $Wireguard::settings{'ADDRESS'} = $address; + } else { + # Explicitly set to empty string when field is empty + $Wireguard::settings{'ADDRESS'} = ''; + } + } + # Don't continue on error goto MAIN if (scalar @errormessages); @@ -805,14 +820,21 @@ MAIN: - $Lang::tr{'wg endpoint'} + $Lang::tr{'wg endpoint'} * + + $Lang::tr{'wg address'} + + + + + - $Lang::tr{'port'} + $Lang::tr{'port'} * @@ -824,7 +846,7 @@ MAIN: - + - +
$Lang::tr{'wg client pool'}$Lang::tr{'wg client pool'} * @@ -832,7 +854,7 @@ MAIN:
$Lang::tr{'wg dns'}$Lang::tr{'wg dns'} * diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b39df6f17..2d2ea9e82 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -3125,6 +3125,8 @@ 'week-graph' => 'Week', 'weekly firewallhits' => 'weekly firewallhits', 'weeks' => 'Weeks', +'wg' => 'WireGuard', +'wg address' => 'Address', 'wg client configuration file' => 'WireGuard Client Configuration File', 'wg client pool' => 'Client Pool', 'wg create host-to-net peer' => 'Create A New Host-To-Net Peer', @@ -3149,6 +3151,7 @@ 'wg invalid psk' => 'Invalid pre-shared key', 'wg invalid public key' => 'Invalid public key', 'wg invalid remote subnet' => 'Invalid remote subnet', +'wg invalid wg0 address' => 'Invalid wg0 IP', 'wg keepalive interval' => 'Keepalive Interval', 'wg leave empty to automatically select' => 'Leave empty to automatically select', 'wg missing allowed ips' => 'Missing AllowedIPs', diff --git a/langs/zh/cgi-bin/zh.pl b/langs/zh/cgi-bin/zh.pl index aac01d48e..0d86d4638 100644 --- a/langs/zh/cgi-bin/zh.pl +++ b/langs/zh/cgi-bin/zh.pl @@ -3072,6 +3072,7 @@ 'weekly firewallhits' => '防火墙命中(每周)', 'weeks' => '周', 'wg' => 'WireGuard', +'wg address' => 'IP地址', 'wg client configuration file' => 'WireGuard客户端配置文件', 'wg client pool' => '客户端地址池', 'wg create host-to-net peer' => '创建新的主机对网络节点', @@ -3096,6 +3097,7 @@ 'wg invalid psk' => '无效的预共享密钥', 'wg invalid public key' => '无效的公钥', 'wg invalid remote subnet' => '无效的远程子网', +'wg invalid wg0 address' => '无效的 wg0 IP 地址', 'wg keepalive interval' => 'Keepalive间隔', 'wg leave empty to automatically select' => '留空以自动选择', 'wg missing allowed ips' => '缺少AllowedIPs', diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard index caaa69cb9..07c501bf8 100644 --- a/src/initscripts/system/wireguard +++ b/src/initscripts/system/wireguard @@ -73,6 +73,17 @@ setup_interface() { ip link set "${intf}" mtu "${MTU}" || return $? fi + # Set up IP on wg0 + if interface_is_rw "${intf}"; then + ip a add "${ADDRESS}" dev "${intf}" + # Allow SSH/WUI from VPN road warrior to manage the firewall + iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT + iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 444 -j ACCEPT + # Apply MASQUERADE + iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE + + fi + # Load the configuration into the kernel wg syncconf "${intf}" <(generate_config "${intf}") || return $?