From ca59eeb5c31b11ed086d8aa1d56676c512e3ec3a Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Fri, 20 Jul 2018 17:31:27 +0300
Subject: [PATCH] Explicitly allow traffic between clients if enabled (#1028)

---
 roles/vpn/templates/rules.v4.j2 | 5 +++--
 roles/vpn/templates/rules.v6.j2 | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2
index dbcc368..820589f 100644
--- a/roles/vpn/templates/rules.v4.j2
+++ b/roles/vpn/templates/rules.v4.j2
@@ -69,10 +69,11 @@ COMMIT
 # Accept DNS traffic to the local DNS resolver
 -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
 
-{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
 # Drop traffic between VPN clients
--A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j DROP
+{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
+{% set BetweenClientsPolicy = "DROP" %}
 {% endif %}
+-A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }}
 
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
index df0603a..4f00c30 100644
--- a/roles/vpn/templates/rules.v6.j2
+++ b/roles/vpn/templates/rules.v6.j2
@@ -84,9 +84,12 @@ COMMIT
 # Accept DNS traffic to the local DNS resolver
 -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT
 
+# Drop traffic between VPN clients
 {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
--A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j DROP
+{% set BetweenClientsPolicy = "DROP" %}
 {% endif %}
+-A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }}
+
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP
 -A FORWARD -p udp -m multiport --ports 137,138 -j DROP