diff --git a/README.md b/README.md index 7f2df64a..7a1db607 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ You have found the easiest way to install & manage WireGuard on any Linux host! - IPv6 support - CIDR support - 2FA support -- Per-client firewall filtering +- Per-client firewall filtering (requires iptables) > [!NOTE] > To better manage documentation for this project, it has its own site here: [https://wg-easy.github.io/wg-easy/latest](https://wg-easy.github.io/wg-easy/latest) diff --git a/docs/content/faq.md b/docs/content/faq.md index 1645c4bb..d510dc75 100644 --- a/docs/content/faq.md +++ b/docs/content/faq.md @@ -10,6 +10,8 @@ Here are some frequently asked questions or errors about `wg-easy`. If you have Use the **Per-Client Firewall** feature to enforce server-side restrictions on what each client can access. +**Requirements:** This feature requires `iptables` (and `ip6tables` for IPv6) to be installed on the host system. + 1. Enable "Per-Client Firewall" in **Admin Panel → Interface** 2. Edit a client and configure "Firewall Allowed IPs" 3. Specify which destinations the client should be allowed to access diff --git a/docs/content/guides/admin.md b/docs/content/guides/admin.md index 231f7b1a..f09ba79b 100644 --- a/docs/content/guides/admin.md +++ b/docs/content/guides/admin.md @@ -10,6 +10,16 @@ Enable server-side firewall filtering to enforce network access restrictions per When enabled, each client can have custom "Firewall Allowed IPs" configured that restrict which destinations they can access through the VPN. These restrictions are enforced by the server using iptables/ip6tables and cannot be bypassed by the client. +**Requirements:** + +- `iptables` must be installed on the host system +- `ip6tables` must be installed if IPv6 is enabled (default) +- The feature cannot be enabled if these tools are not available + +/// note +Most Linux distributions include iptables by default. If you're running in a minimal container environment, you may need to install the `iptables` package on the host system. +/// + **Enable this feature if you want to:** - Restrict certain clients to only access specific servers or networks