From ab4ac633a493690254fe357fce393862172a3b04 Mon Sep 17 00:00:00 2001 From: I Date: Sun, 23 Jun 2024 15:15:49 +0200 Subject: [PATCH] added info about security of post_up iptables config --- wireguard/DOCS.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/wireguard/DOCS.md b/wireguard/DOCS.md index 75fd37b..5508a92 100644 --- a/wireguard/DOCS.md +++ b/wireguard/DOCS.md @@ -1,4 +1,4 @@ -# Home Assistant Community Add-on: WireGuard +l# Home Assistant Community Add-on: WireGuard [WireGuard®][wireguard] is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, @@ -175,6 +175,37 @@ iptables -A FORWARD -o %i -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` +Moreover you would like to access only your HomeAssistant machine, not all +the devices from your LAN network. To do so, you can use this example of +server-side configuration: + +```yaml +host: myautomatedhome.duckdns.org +addresses: + - 172.27.66.1 +dns: [] +post_up: >- + iptables -A FORWARD -i %i -d -j ACCEPT; + iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; + iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; + iptables -A FORWARD -i %i -o %o -j ACCEPT; + iptables -A FORWARD -i %i -d /24 -j DROP +``` + +In this configuration, you would need to change two things: +- `` +with your internal IP address of the HomeASsistant host, for example: +`192.168.0.12` +- `` your destination IP range, specifying the LAN subnet. +Lets assume your HomeAssistant host have IP `192.168.0.12` , then your +IP range would be `192.168.0.0`. Suffix `/24` is a way of subnet mask +specifying in CIDR, and usually you should not be worried by this. + +**Hint** +If you would like to access more than your HomeAssistant device, you can just +additional `iptables` commands before this command: +- `iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT;` + ### Option: `server.post_down` _(optional)_ Allows you to run commands after WireGuard has been stopped. This is useful