Skip to content

Instantly share code, notes, and snippets.

@vaultah

vaultah/_.md

Created September 2, 2023 18:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vaultah/da4c294df18f1127fece470deecc018d to your computer and use it in GitHub Desktop.
Save vaultah/da4c294df18f1127fece470deecc018d to your computer and use it in GitHub Desktop.
Download ZIP
Add PostUp / PreDown rules to Wireguard configs to restrict traffic to the tunnel
Raw
_.md 
# python3 /home/me/postup_predown.py /etc/wireguard/*.conf
sudo bash -c 'python3 /home/me/postup_predown.py /etc/wireguard/*.conf'
Raw
postup_predown.py
import configparser, sys
for path in sys.argv[1:]:
conf = configparser.RawConfigParser()
conf.optionxform = str
conf.read(path)
conf['Interface']['PostUp'] = 'iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT'
conf['Interface']['PreDown']= 'iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT'
with open(path, 'w') as out:
conf.write(out)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment