From e9c5334eeb0b551d04b8b099ac046f4d81ea251f Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed, 2 Jul 2025 18:53:06 +0000
Subject: [PATCH] wireguard: Automatically apply MASQUERADE for peers with
 local address

    commit 459bb750298c09990c0c8d4677f0f442887304d0
    Author: Michael Tremer <michael.tremer@ipfire.org>
    Date:   Sat Apr 26 14:30:44 2025 +0200

        wireguard: Automatically apply MASQUERADE for peers with local address

        In this case we are the client and we cannot leak any local subnets.

        Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/firewall | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2a8877d20..dd15beb44 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -217,10 +217,14 @@ iptables_init() {
 	iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
 
 	# Block unauthorized WireGuard traffic
-	ipatbles -N WGBLOCK
+	iptables -N WGBLOCK
 	iptables -A INPUT   -i wg+ -j WGBLOCK
 	iptables -A FORWARD -i wg+ -j WGBLOCK
 
+	# NAT for WireGuard peers
+	iptables -t nat -N WGNAT
+	iptables -t nat -A POSTROUTING -j WGNAT
+
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
 	iptables -A INPUT   -i tun+ -j OVPNBLOCK