wireguard: add IP on road warrior interface wg0

Choose one IP from client pool and add it to road warrior interface wg0 so road warrior VPN client could reach firewall through the VPN Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 18:45:54 +02:00 · 2025-07-20 23:40:09 +00:00
parent ec74268fa7
commit c7e72c51bf
5 changed files with 45 additions and 4 deletions
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -73,6 +73,17 @@ setup_interface() {
 		ip link set "${intf}" mtu "${MTU}" || return $?
 	fi

+	# Set up IP on wg0
+	if interface_is_rw "${intf}"; then
+		ip a add "${ADDRESS}" dev "${intf}"
+		# Allow SSH/WUI from VPN road warrior to manage the firewall
+		iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
+		iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 444 -j ACCEPT
+		# Apply MASQUERADE
+		iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
+
+	fi
+
 	# Load the configuration into the kernel
 	wg syncconf "${intf}" <(generate_config "${intf}") || return $?