added example config

2025-05-04 10:51:23 +00:00 · 2024-06-23 15:26:15 +02:00 · 2024-06-23 15:26:15 +02:00 · 354b10f72d
commit 354b10f72d
parent ab4ac633a4
1 changed files with 27 additions and 0 deletions
--- a/wireguard/DOCS.md
+++ b/wireguard/DOCS.md
@ -202,10 +202,37 @@ IP range would be `192.168.0.0`. Suffix `/24` is a way of subnet mask
 specifying in CIDR, and usually you should not be worried by this. 

 **Hint**
+
 If you would like to access more than your HomeAssistant device, you can just 
 additional `iptables` commands before this command:
 - `iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;`

+Finally your yaml `post_up` section may look like:
+```yaml
+post_up: >-
+  iptables -A FORWARD -i %i -d <internal-ip-address-of-your-HomeAssistant-instance> -j ACCEPT;
+  iptables -A FORWARD -i %i -d <internal-ip-address-of-any-additional-lan-device> -j ACCEPT;
+  iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;
+  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
+  iptables -A FORWARD -i %i -o %o -j ACCEPT;
+  iptables -A FORWARD -i %i -d <LAN-IP-ADDRESS>/24 -j DROP
+```
+
+Example config of `post_up` section, with two LAN devices accessible:
+```yaml
+host: myautomatedhome.duckdns.org
+addresses:
+  - 172.27.66.1
+dns: []
+post_up: >-
+  iptables -A FORWARD -i %i -d 192.168.0.13 -j ACCEPT;  
+  iptables -A FORWARD -i %i -d 192.168.0.37 -j ACCEPT;
+  iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;  
+  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;  
+  iptables -A FORWARD -i %i -o %o -j ACCEPT;  
+  iptables -A FORWARD -i %i -d 192.168.0.0/24 -j DROP
+```
+
 ### Option: `server.post_down` _(optional)_

 Allows you to run commands after WireGuard has been stopped. This is useful