wireguard: optionally set iptables rules

2 files changed, 12 insertions, 0 deletions

diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index 67964a5..9f7733a 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -1,2 +1,3 @@
 wg_name: wg0
 wg_listen_port: 51280
+wg_firewall: false
diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf
index 1d6140c..aff1300 100644
--- a/roles/wireguard/templates/wg0.conf
+++ b/roles/wireguard/templates/wg0.conf
@@ -3,6 +3,17 @@ PrivateKey = {{ wg_private_key }}
 Address = {{ wg_addr4 }}, {{ wg_addr6 }}
 ListenPort = {{ wg_listen_port }}
 SaveConfig = false
+
+{% if wg_firewall %}
+PostUp = iptables -t nat -A POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = iptables -A FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostUp = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = ip6tables -A FORWARD -s {{ wg_addr6 }} -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = iptables -D FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostDown = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = ip6tables -D FORWARD -s {{ wg_addr6 }} -j ACCEPT
+{% endif %}
 {% if wg_peers is defined %}
 {% for peer in wg_peers %}