heckyel/wg-easy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Isolate client traffic in WireGuard and update iptables configuration

Browse Source 
- Modified `src/config.js` to include new iptables rules that block traffic between clients on the `wg0` interface.
- Added iptables rules in `WG_POST_UP` and `WG_POST_DOWN` to explicitly reject traffic between clients (`iptables -A FORWARD -i wg0 -o wg0 -j REJECT;`).
- Applied the same logic for IPv6 traffic, ensuring that client-to-client traffic is blocked in both IPv4 and IPv6 networks.
- These changes are crucial for enhancing the security and privacy of clients connected to the WireGuard server by preventing inter-client communication.
This commit is contained in:
Astound 2024-08-12 12:59:56 +08:00
parent 6182bc3e03
commit b325ffaf09
Signed by: kaiser
GPG Key ID: 97504AF0027B1A56
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/config.js
View File

@ -35,6 +35,7 @@ if (!process.env.WG_POST_UP) {
module.exports.WG_POST_UP = ` module.exports.WG_POST_UP = `
iptables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE; iptables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
iptables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT; iptables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
iptables -A FORWARD -i wg0 -o wg0 -j REJECT;
iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT;
iptables -A FORWARD -o wg0 -j ACCEPT;`; iptables -A FORWARD -o wg0 -j ACCEPT;`;
@ -42,6 +43,7 @@ if (!process.env.WG_POST_UP) {
module.exports.WG_POST_UP += ` module.exports.WG_POST_UP += `
ip6tables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
ip6tables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT; ip6tables -A INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
ip6tables -A FORWARD -i wg0 -o wg0 -j REJECT;
ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT;
ip6tables -A FORWARD -o wg0 -j ACCEPT;`; ip6tables -A FORWARD -o wg0 -j ACCEPT;`;
} }
@ -54,6 +56,7 @@ if (!process.env.WG_POST_DOWN) {
module.exports.WG_POST_DOWN = ` module.exports.WG_POST_DOWN = `
iptables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE; iptables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
iptables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT; iptables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
iptables -D FORWARD -i wg0 -o wg0 -j REJECT;
iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT;
iptables -D FORWARD -o wg0 -j ACCEPT;`; iptables -D FORWARD -o wg0 -j ACCEPT;`;
@ -61,6 +64,7 @@ if (!process.env.WG_POST_DOWN) {
module.exports.WG_POST_DOWN += ` module.exports.WG_POST_DOWN += `
ip6tables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE; ip6tables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS6.replace('x', '0')}/64 -o ${module.exports.WG_DEVICE} -j MASQUERADE;
ip6tables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT; ip6tables -D INPUT -p udp -m udp --dport ${module.exports.WG_PORT} -j ACCEPT;
ip6tables -D FORWARD -i wg0 -o wg0 -j REJECT;
ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT;
ip6tables -D FORWARD -o wg0 -j ACCEPT;`; ip6tables -D FORWARD -o wg0 -j ACCEPT;`;
} }

2
src/lib/WireGuard.js
View File

@ -214,7 +214,7 @@ ${client.preSharedKey ? `PresharedKey = ${client.preSharedKey}\n` : ''
return ` return `
[Interface] [Interface]
PrivateKey = ${client.privateKey ? `${client.privateKey}` : 'REPLACE_ME'} PrivateKey = ${client.privateKey ? `${client.privateKey}` : 'REPLACE_ME'}
Address = ${client.address}/24, ${client.address6}/64 Address = ${client.address}/32, ${client.address6}/128
${isDnsSet ? `DNS = ${dnsServers}\n` : ''}\ ${isDnsSet ? `DNS = ${dnsServers}\n` : ''}\
${WG_DEFAULT_DNS ? `DNS = ${WG_DEFAULT_DNS}\n` : ''}\ ${WG_DEFAULT_DNS ? `DNS = ${WG_DEFAULT_DNS}\n` : ''}\
${WG_MTU ? `MTU = ${WG_MTU}\n` : ''}\ ${WG_MTU ? `MTU = ${WG_MTU}\n` : ''}\