Add option to disable NAT iptables rules

README.md

@@ -78,6 +78,7 @@ These options can be configured in `docker-compose.yml` under `environment`.
 | `WG_DEFAULT_ADDRESS` | `10.8.0.x` | `10.6.0.x` | Clients IP address range |
 | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use |
 | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use |
+| `WG_NAT` | `true` | `false` | Enable or disable NAT iptables rules
 
 > If you change `WG_PORT`, make sure to also change the exposed port.
 

src/config.js

@@ -13,3 +13,4 @@ module.exports.WG_DEFAULT_DNS = typeof process.env.WG_DEFAULT_DNS === 'string'
   ? process.env.WG_DEFAULT_DNS
   : '1.1.1.1';
 module.exports.WG_ALLOWED_IPS = process.env.WG_ALLOWED_IPS || '0.0.0.0/0, ::/0';
+module.exports.WG_NAT = process.env.WG_NAT || true;

src/lib/WireGuard.js

@@ -17,6 +17,7 @@ const {
   WG_DEFAULT_DNS,
   WG_DEFAULT_ADDRESS,
   WG_ALLOWED_IPS,
+  WG_NAT,
 } = require('../config');
 
 module.exports = class WireGuard {
@@ -53,10 +54,14 @@ module.exports = class WireGuard {
         await this.__saveConfig(config);
         await Util.exec('wg-quick down wg0').catch(() => {});
         await Util.exec('wg-quick up wg0');
-        await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o eth0 -j MASQUERADE`);
-        await Util.exec('iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT');
-        await Util.exec('iptables -A FORWARD -i wg0 -j ACCEPT');
-        await Util.exec('iptables -A FORWARD -o wg0 -j ACCEPT');
+
+        if (WG_NAT) {
+          await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o eth0 -j MASQUERADE`);
+          await Util.exec('iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT');
+          await Util.exec('iptables -A FORWARD -i wg0 -j ACCEPT');
+          await Util.exec('iptables -A FORWARD -o wg0 -j ACCEPT');
+        }
+
         await this.__syncConfig();
 
         return config;