From b0e45fe0f70a6e36c2846f665713647e6e0db234 Mon Sep 17 00:00:00 2001
From: Johan <johan.followit@gmail.com>
Date: Sat, 23 Mar 2024 13:52:34 +0100
Subject: [PATCH] Update Wireguard with allowed destination IPs

---
 BashScripts/install-wireguard-server.sh | 33 ++++++++++++++++++-------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/BashScripts/install-wireguard-server.sh b/BashScripts/install-wireguard-server.sh
index 4d37802..65bf61a 100644
--- a/BashScripts/install-wireguard-server.sh
+++ b/BashScripts/install-wireguard-server.sh
@@ -8,11 +8,12 @@ read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//'
 read -e -p "Enter VPN subnet: " -i "192.168.200" VPN_SUBNET
 read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
 read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
+read -e -p "Allowed destination LAN IPs (empty for all): " -i "${LAN_SUBNET}.1,${LAN_SUBNET}.2" ALLOWED_HOST_IPs
 
 if [ $(dpkg-query -W -f='${Status}' wireguard 2>/dev/null | grep -c "ok installed") -eq 0 ];
 then
-	echo "Installing Wireguard"
-	apt install wireguard
+	echo "Installing Wireguard..."
+	apt install wireguard -y
 fi
 
 mkdir -m 0700 /etc/wireguard/ > /dev/null 2>&1
@@ -33,22 +34,36 @@ if ! grep -q "net.ipv4.ip_forward" "/etc/sysctl.d/10-wireguard.conf"; then
 	sysctl -p /etc/sysctl.d/10-wireguard.conf
 fi
 
+if [ -z "$ALLOWED_HOST_IPs" ]
+then
+	POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
+"
+	POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $LAN_SUBNET.0/24 -j ACCEPT
+"
+else
+	for i in ${ALLOWED_HOST_IPs//,/ }
+	do
+		POSTUP="$POSTUP""PostUp = iptables -A FORWARD -i %i -d $i/32 -j ACCEPT
+"
+		POSTDOWN="$POSTDOWN""PostDown = iptables -D FORWARD -i %i -d $i/32 -j ACCEPT
+"
+	done
+fi
+
 sudo tee /etc/wireguard/wg0.conf.base > /dev/null <<EOL
 [Interface]
 Address = $VPN_SUBNET.1/24
 ListenPort = 51820
 PrivateKey = ${SERVER_PRIVATEKEY}
 
-PostUp = iptables -A FORWARD -i %i -d 192.168.0.1/32 -j ACCEPT
-PostUp = iptables -A FORWARD -i %i -d 192.168.0.3/32 -j ACCEPT
-PostUp = iptables -A FORWARD -i %i -d 192.168.200.0/24 -j ACCEPT
+${POSTUP}
+PostUp = iptables -A FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
 PostUp = iptables -A FORWARD -i %i -d 0.0.0.0/0 -j DROP
 PostUp = iptables -A FORWARD -o %i -j ACCEPT
 PostUp = iptables -t nat -A POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
 
-PostDown = iptables -D FORWARD -i %i -d 192.168.0.1/32 -j ACCEPT
-PostDown = iptables -D FORWARD -i %i -d 192.168.0.3/32 -j ACCEPT
-PostDown = iptables -D FORWARD -i %i -d 192.168.200.0/24 -j ACCEPT
+${POSTDOWN}
+PostDown = iptables -D FORWARD -i %i -d $VPN_SUBNET.0/24 -j ACCEPT
 PostDown = iptables -D FORWARD -i %i -d 0.0.0.0/0 -j DROP
 PostDown = iptables -D FORWARD -o %i -j ACCEPT
 PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
@@ -56,7 +71,7 @@ PostDown = iptables -t nat -D POSTROUTING -o ${NIC_NAME,,} -j MASQUERADE
 # [Peer]
 # Client 1
 # PublicKey = ...
-# AllowedIPs = 192.168.200.2/32
+# AllowedIPs = $VPN_SUBNET.2/32
 
 EOL
 cat /etc/wireguard/wg0.conf.base /etc/wireguard/wg0.conf.clients > /etc/wireguard/wg0.conf