firewall: accept VPN connections from inside also

People tend to leave WireGuard tunnels active and we don’t want things to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00 · 2024-04-08 15:03:29 +02:00 · 6dcae194d7
commit 6dcae194d7
parent c479f90669
1 changed files with 2 additions and 2 deletions
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@ -41,8 +41,8 @@ table inet filter {
        iif @link udp dport 3784 ip6 saddr fe80::/10 accept \
        comment "Accept link-local BFD on fabric links"

-        iif @outside udp dport 51820 accept \
-        comment "Accept WireGuard from outside"
+        udp dport 51820 accept \
+        comment "Accept WireGuard from anywhere"

        iif {{ iface_sync }} ip6 saddr fe80::/10 udp dport 3780 accept \
        comment "Accept connection tracking sync data"