wireguard: add IP on road warrior interface wg0

Choose one IP from client pool and add it to road warrior interface wg0 so road warrior VPN client could reach firewall through the VPN Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 18:45:54 +02:00 · 2025-07-20 23:40:09 +00:00
parent ec74268fa7
commit c7e72c51bf
5 changed files with 45 additions and 4 deletions
--- a/config/cfgroot/wireguard-functions.pl
+++ b/config/cfgroot/wireguard-functions.pl
@@ -344,6 +344,9 @@ sub free_pool_addresses($$) {
 	my @used_addresses = ();
 	my @free_addresses = ();

+	# wg0 IP is reserved so put in @used_addresses
+	push(@used_addresses, &Network::ip2bin($settings{'ADDRESS'}));
+
 	# Collect all used addresses
 	foreach my $key (keys %peers) {
 		my $peer = &load_peer($key);
--- a/html/cgi-bin/wireguard.cgi
+++ b/html/cgi-bin/wireguard.cgi
@@ -87,6 +87,21 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) {
 		$Wireguard::settings{'CLIENT_DNS'} = join("|", @client_dns);
 	}

+	# Check wg0 ADDRESS - make it optional
+	if (defined $cgiparams{'ADDRESS'}) {
+		if ($cgiparams{'ADDRESS'} ne '') {
+			my $address = $cgiparams{'ADDRESS'};
+			unless (&Network::check_ip_address($address)) {
+				push(@errormessages, "$Lang::tr{'wg invalid wg0 address'}: ${address}");
+			}
+			# Store ADDRESS only if it's valid and not empty
+			$Wireguard::settings{'ADDRESS'} = $address;
+		} else {
+			# Explicitly set to empty string when field is empty
+			$Wireguard::settings{'ADDRESS'} = '';
+		}
+	}
+
 	# Don't continue on error
 	goto MAIN if (scalar @errormessages);

@@ -805,14 +820,21 @@ MAIN:
 				</tr>

 				<tr>
-					<td>$Lang::tr{'wg endpoint'}</td>
+					<td>$Lang::tr{'wg endpoint'}&nbsp;<img src='/blob.gif' alt='*' /></td>
 					<td>
 						<input type="text" name="ENDPOINT" value="$Wireguard::settings{'ENDPOINT'}" placeholder="$General::mainsettings{'HOSTNAME'}.$General::mainsettings{'DOMAINNAME'}" />
 					</td>
 				</tr>

+                                <tr>
+                                        <td>$Lang::tr{'wg address'}</td>
+                                        <td>
+                                                <input type="text" name="ADDRESS" value="$Wireguard::settings{'ADDRESS'}" />
+                                        </td>
+                                </tr>
+
 				<tr>
-					<td>$Lang::tr{'port'}</td>
+					<td>$Lang::tr{'port'}&nbsp;<img src='/blob.gif' alt='*' /></td>
 					<td>
 						<input type="number" name="PORT" value="$Wireguard::settings{'PORT'}"
 							min="1024" max="65535" />
@@ -824,7 +846,7 @@ MAIN:

 			<table class="form">
 				<tr>
-					<td>$Lang::tr{'wg client pool'}</td>
+					<td>$Lang::tr{'wg client pool'}&nbsp;<img src='/blob.gif' alt='*' /></td>
 					<td>
 						<input type="text" name="CLIENT_POOL"
 							value="$Wireguard::settings{'CLIENT_POOL'}" $readonly{'CLIENT_POOL'} />
@@ -832,7 +854,7 @@ MAIN:
 				</tr>

 				<tr>
-					<td>$Lang::tr{'wg dns'}</td>
+					<td>$Lang::tr{'wg dns'}&nbsp;<img src='/blob.gif' alt='*' /></td>
 					<td>
 						<input type="text" name="CLIENT_DNS"
 							value="$client_dns" />
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -3125,6 +3125,8 @@
 'week-graph' => 'Week',
 'weekly firewallhits' => 'weekly firewallhits',
 'weeks' => 'Weeks',
+'wg' => 'WireGuard',
+'wg address' => 'Address',
 'wg client configuration file' => 'WireGuard Client Configuration File',
 'wg client pool' => 'Client Pool',
 'wg create host-to-net peer' => 'Create A New Host-To-Net Peer',
@@ -3149,6 +3151,7 @@
 'wg invalid psk' => 'Invalid pre-shared key',
 'wg invalid public key' => 'Invalid public key',
 'wg invalid remote subnet' => 'Invalid remote subnet',
+'wg invalid wg0 address' => 'Invalid wg0 IP',
 'wg keepalive interval' => 'Keepalive Interval',
 'wg leave empty to automatically select' => 'Leave empty to automatically select',
 'wg missing allowed ips' => 'Missing AllowedIPs',
--- a/langs/zh/cgi-bin/zh.pl
+++ b/langs/zh/cgi-bin/zh.pl
@@ -3072,6 +3072,7 @@
 'weekly firewallhits' => '防火墙命中(每周)',
 'weeks' => '周',
 'wg' => 'WireGuard',
+'wg address' => 'IP地址',
 'wg client configuration file' => 'WireGuard客户端配置文件',
 'wg client pool' => '客户端地址池',
 'wg create host-to-net peer' => '创建新的主机对网络节点',
@@ -3096,6 +3097,7 @@
 'wg invalid psk' => '无效的预共享密钥',
 'wg invalid public key' => '无效的公钥',
 'wg invalid remote subnet' => '无效的远程子网',
+'wg invalid wg0 address' => '无效的 wg0 IP 地址',
 'wg keepalive interval' => 'Keepalive间隔',
 'wg leave empty to automatically select' => '留空以自动选择',
 'wg missing allowed ips' => '缺少AllowedIPs',
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -73,6 +73,17 @@ setup_interface() {
 		ip link set "${intf}" mtu "${MTU}" || return $?
 	fi

+	# Set up IP on wg0
+	if interface_is_rw "${intf}"; then
+		ip a add "${ADDRESS}" dev "${intf}"
+		# Allow SSH/WUI from VPN road warrior to manage the firewall
+		iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 22 -j ACCEPT
+		iptables -A GUIINPUT -i wg0 -p tcp -m tcp --dport 444 -j ACCEPT
+		# Apply MASQUERADE
+		iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
+
+	fi
+
 	# Load the configuration into the kernel
 	wg syncconf "${intf}" <(generate_config "${intf}") || return $?