#!/bin/sh
# VA1DER - qro.va1der.ca local script to enable forwarding over wireguard
#
IPT="/sbin/iptables"

IN_IFACE="eth0"                   # Server's internet-facing interface name
WG_IFACE="wg0"                    # WireGuard interface name
SUB_NET="10.8.30.0/24"            # WireGuard network in CIDR
WG_PORT="51820"                   # WireGuard UDP port number

# Delete old rules, just in case
$IPT -t nat -D POSTROUTING 1 -s $SUB_NET -o $IN_IFACE -j MASQUERADE 2> /dev/null
$IPT -D INPUT -i $WG_IFACE -j ACCEPT 2> /dev/null
$IPT -D FORWARD -i $IN_IFACE -o $WG_IFACE -j ACCEPT 2> /dev/null
$IPT -D FORWARD -i $WG_IFACE -o $IN_IFACE -j ACCEPT 2> /dev/null
$IPT -D INPUT -i $IN_IFACE -p udp --dport $WG_PORT -j ACCEPT 2>/dev/null

# Now add the new ones
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_IFACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_IFACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_IFACE -o $WG_IFACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_IFACE -o $IN_IFACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_IFACE -p udp --dport $WG_PORT -j ACCEPT
# end.