Created
October 29, 2025 14:29
-
-
Save 4rft5/60af6f5278c3abd9965ecc453c69fbb6 to your computer and use it in GitHub Desktop.
How to restrict a Wireguard Client access to a single port (WG-Easy)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Make a shell script in the same path as compose with the following: | |
| #!/bin/sh | |
| iptables -A FORWARD -i wg0 -s CLIENTIPHERE -p tcp -d SERVICEIPHERE --dport SERVICEPORTHERE -j ACCEPT | |
| iptables -A FORWARD -i wg0 -s CLIENTIPHERE -j DROP | |
| exec /usr/bin/dumb-init node server/index.mjs | |
| 2. Change CLIENTIPHERE, SERVICEIPHERE and SERVICEPORTHERE to match your setup | |
| 3. chmod +x the shell script | |
| 4. Add the script to the WG-Easy compose Volumes section: | |
| - ./SHELLSCRIPTNAME.sh:/app/SHELLSCRIPTNAME.sh | |
| 5. Add the script to the WG-Easy compose entrypoint: | |
| entrypoint: ["/app/SHELLSCRIPTNAME.sh"] | |
| 6. Test and Enjoy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment