From 0b2eb8d752c5229e50663226be897f8ef8bfa013 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Tue, 8 Aug 2023 22:38:33 +0200
Subject: wireguard: optionally set iptables rules

---
 roles/wireguard/templates/wg0.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'roles/wireguard/templates/wg0.conf')

diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf
index 1d6140c..aff1300 100644
--- a/roles/wireguard/templates/wg0.conf
+++ b/roles/wireguard/templates/wg0.conf
@@ -3,6 +3,17 @@ PrivateKey = {{ wg_private_key }}
 Address = {{ wg_addr4 }}, {{ wg_addr6 }}
 ListenPort = {{ wg_listen_port }}
 SaveConfig = false
+
+{% if wg_firewall %}
+PostUp = iptables -t nat -A POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = iptables -A FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostUp = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = ip6tables -A FORWARD -s {{ wg_addr6 }} -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = iptables -D FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostDown = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = ip6tables -D FORWARD -s {{ wg_addr6 }} -j ACCEPT
+{% endif %}
 {% if wg_peers is defined %}
 {% for peer in wg_peers %}
 
-- 
cgit v1.2.3