* Add per-client firewall filtering
Implement server-side firewall rules to restrict client network access,
allowing administrators to enforce security policies that cannot be
bypassed by clients modifying their local configuration.
This feature addresses the limitation where "Allowed IPs" only controls
client-side routing but doesn't prevent clients from accessing networks
they shouldn't reach. The firewall rules are enforced on the server
using iptables/ip6tables and provide true access control.
Features:
- Opt-in via "Enable Per-Client Firewall" toggle in admin interface
- Per-client "Firewall Allowed IPs" field for granular control
- Support for IPs, CIDRs, and port-based filtering
- Protocol specification: TCP, UDP, or both (default)
- IPv4 and IPv6 dual-stack support
- Falls back to client's allowedIps when firewallIps is empty
- Clean separation of routing (allowedIps) from security (firewallIps)
Supported formats:
- 10.10.0.3 (single IP)
- 10.10.0.0/24 (CIDR range)
- 192.168.1.5:443 (IP with port, both TCP+UDP)
- 192.168.1.5:443/tcp (IP with specific protocol)
- [2001:db8::1]:443 (IPv6 with port)
Implementation:
- New database columns: firewall_enabled (interfaces), firewall_ips (clients)
- Migration 0003_add_firewall_filtering for schema updates
- firewall.ts utility for iptables chain management (WG_CLIENTS chain)
- Integration into WireGuard.ts for automatic rule application
- UI components with conditional rendering based on firewall toggle
Technical details:
- Uses custom WG_CLIENTS iptables chain for isolation
- Rebuild strategy: flush and recreate all rules on config save
- Mutex protection via rebuildInProgress/rebuildQueued flags
- Graceful cleanup when firewall is disabled
- No new dependencies (uses existing is-ip, is-cidr packages)
* added Comprehensive documentation in README and docs/ for firewall
filtering
* validate firewall IPs
* check for iptables before enabling the firewall and inform the user if
it is missing
* updated firewall docs
* fix imports
* remove extra import
* Document all allowed IP/cidr/port/proto combinations that are allowed
and check on save
* add note on firewall being experimental and how to opt a single client
out of the firewall.
* cleanup more imports
* add tests
* Fix firewall IPv6 validation and test expectations
Updated validation to correctly handle plain and bracketed IPv6 addresses, and fixed test to expect string from schema instead of object.
* added comments to firewall rules and updated tests
* fix auto-import
* fix typescript errors
* recreate sql migrations and rebase
* improve tests, typechecking, documentation
* fix formatting, fix types
* improve type
* added note for including host's IP in client firewall
* updated language to include cidr and protocol options
* another language update
* refer to docs for firewall allowed IPs
---------
Co-authored-by: Bernd Storath <999999bst@gmail.com>
* Add Czech localization file for i18n
* Add Czech locale support to i18n configuration
* Add Czech language support to nuxt.config.ts
* Update Czech translation for 'hooks' key
* AmneziaWG 2.0: support for H1-H4 ranges
## Changes:
```
- [+] Added support for H1-H4 ranges
- [!] Fixed interface fields order (H1-H4 goes before I1-I5)
```
## Known issues:
```
- [!] no check for unique/overlap of H1-H4 values on settings apply:
settings will be applied but wg interface will crash with "Invalid argument" error
```
* AmneziaWG 2.0: support for H1-H4 ranges
## Changes:
```
- [+] Added support for H1-H4 ranges
- [!] Fixed interface fields order (H1-H4 goes before I1-I5)
```
## Known issues:
```
- [!] no check for unique/overlap of H1-H4 values on settings apply:
settings will be applied but wg interface will crash with "Invalid argument" error
```
* AmneziaWG 2.0: support for H1-H4 ranges
## Changes:
```
- [+] Added support for H1-H4 ranges
- [!] Fixed interface fields order (H1-H4 goes before I1-I5)
```
## Known issues:
```
- [!] no check for unique/overlap of H1-H4 values on settings apply:
settings will be applied but wg interface will crash with "Invalid argument" error
```
* Update types.ts
Lint fixes
---------
Co-authored-by: CthulhuVRN <alexander@ptitsyn.info>
The RU translation changed "junk" from "мусорный" to "шумовой".
Amnezia authors consistently describe these packets/bytes as "мусор" in their docs and Habr posts. Align wording with upstream terminology to avoid confusion for RU users.
* Extend docs for routed setup with nftables
When using nftables in a routed setup different up and down hooks need to be used.
To limit interaction with docker managed chains a custom WG_EASY chain is added as a jump target.
Since nft only supports deletion via handles awk is needed to get the handle of the jump rule for deletion
* Remove link to podman-nft
* Fix formatting according to prettier rules
* Add additional whitespace
Bernd Storath