UFW Integration - Githubissues

Checklist

[x] I searched existing Issues, and did not find a similar enhancement request
[x] This enhancement request is about the VPN setup script, and not WireGuard VPN itself
[x] I read the README
[x] I followed instructions to configure VPN clients

Describe the enhancement request UFW is the default firewall configuration tool for Ubuntu. As such it is widely used on many Ubuntu-based servers for firewalling. Currently wireguard-install completely bypasses UFW by adding rules through the wg-iptables service.

As per the ubuntu manpages UFW supports the forwarding and filtering functionality required by the Wireguard VPN. Some of it can be accomplished through the ufw command, while the rest has to be performed through direct modification of /etc/ufw/before.rules.

On a host with UFW installed and enabled, instead of creating the wireguard-iptables service, wireguard-install should append the post-routing rules to /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j MASQUERADE

COMMIT

and run the following commands:

ufw allow from any to any port $port proto udp
ufw route allow from 10.7.0.0/24
ufw reload

I think that the last rule in wireguard-iptables can be ommited, as /etc/ufw/before.rules already has the following:

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

but that would require verification.

Is your enhancement request related to a problem? Please describe. UFW clashing with wireguard-iptables.

Additional context N/A

hwdsl2 / wireguard-install

UFW Integration #26