From b325ffaf090290919de5885674c7791290d7bfa2 Mon Sep 17 00:00:00 2001
From: Astound <kirito@disroot.org>
Date: Mon, 12 Aug 2024 12:59:56 +0800
Subject: [PATCH] Isolate client traffic in WireGuard and update iptables
 configuration

- Modified `src/config.js` to include new iptables rules that block traffic between clients on the `wg0` interface.
- Added iptables rules in `WG_POST_UP` and `WG_POST_DOWN` to explicitly reject traffic between clients (`iptables -A FORWARD -i wg0 -o wg0 -j REJECT;`).
- Applied the same logic for IPv6 traffic, ensuring that client-to-client traffic is blocked in both IPv4 and IPv6 networks.
- These changes are crucial for enhancing the security and privacy of clients connected to the WireGuard server by preventing inter-client communication.
---
 src/config.js        | 4 ++++
 src/lib/WireGuard.js | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/config.js b/src/config.js
index dfd9ee0..6797b13 100644
--- a/src/config.js
+++ b/src/config.js
@@ -35,6 +35,7 @@ if (!process.env.WG_POST_UP) {
   module.exports.WG_POST_UP = `
   iptables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
   iptables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
+  iptables -A FORWARD -i wg0 -o wg0 -j REJECT;
   iptables -A FORWARD -i wg0 -j ACCEPT;
   iptables -A FORWARD -o wg0 -j ACCEPT;`;
 
@@ -42,6 +43,7 @@ if (!process.env.WG_POST_UP) {
     module.exports.WG_POST_UP += `
     ip6tables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
     ip6tables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
+    ip6tables -A FORWARD -i wg0 -o wg0 -j REJECT;
     ip6tables -A FORWARD -i wg0 -j ACCEPT;
     ip6tables -A FORWARD -o wg0 -j ACCEPT;`;
   }
@@ -54,6 +56,7 @@ if (!process.env.WG_POST_DOWN) {
   module.exports.WG_POST_DOWN = `
   iptables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
   iptables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
+  iptables -D FORWARD -i wg0 -o wg0 -j REJECT;
   iptables -D FORWARD -i wg0 -j ACCEPT;
   iptables -D FORWARD -o wg0 -j ACCEPT;`;
 
@@ -61,6 +64,7 @@ if (!process.env.WG_POST_DOWN) {
     module.exports.WG_POST_DOWN += `
     ip6tables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
     ip6tables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
+    ip6tables -D FORWARD -i wg0 -o wg0 -j REJECT;
     ip6tables -D FORWARD -i wg0 -j ACCEPT;
     ip6tables -D FORWARD -o wg0 -j ACCEPT;`;
   }
diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js
index ed2be7f..42ea9cc 100644
--- a/src/lib/WireGuard.js
+++ b/src/lib/WireGuard.js
@@ -214,7 +214,7 @@ ${client.preSharedKey ? `PresharedKey = ${client.preSharedKey}\n` : ''
     return `
 [Interface]
 PrivateKey = ${client.privateKey ? `${client.privateKey}` : 'REPLACE_ME'}
-Address = ${client.address}/24, ${client.address6}/64
+Address = ${client.address}/32, ${client.address6}/128
 ${isDnsSet ? `DNS = ${dnsServers}\n` : ''}\
 ${WG_DEFAULT_DNS ? `DNS = ${WG_DEFAULT_DNS}\n` : ''}\
 ${WG_MTU ? `MTU = ${WG_MTU}\n` : ''}\