WG: apply advertised routes on server immediately; relax rp_filter for routed clients

client/install_client.sh

@@ -347,6 +347,8 @@ build_lan_nat_hooks_if_needed() {
   local fwd="/etc/sysctl.d/99-wireguard-client-forwarding.conf"
   cat > "$fwd" <<EOF_FWD
 net.ipv4.ip_forward=1
+net.ipv4.conf.all.rp_filter=2
+net.ipv4.conf.default.rp_filter=2
 EOF_FWD
   sysctl --system >/dev/null || true
 

server/wg-peerctl.sh

@@ -207,6 +207,71 @@ extract_peer_address_by_pubkey() {
   ' "$WG_CONF" | awk -F',' '{print $1}' | xargs
 }
 
+extract_peer_allowed_ips_by_pubkey() {
+  local pubkey="$1"
+  awk -v pk="$pubkey" '
+    $0 ~ /^\[Peer\]/ {in_peer=1; key=""; allowed=""}
+    in_peer && $0 ~ /^PublicKey[[:space:]]*=/ {
+      sub(/^[^=]*=[[:space:]]*/, "", $0); key=$0
+    }
+    in_peer && $0 ~ /^AllowedIPs[[:space:]]*=/ {
+      sub(/^[^=]*=[[:space:]]*/, "", $0); allowed=$0
+    }
+    in_peer && key==pk && allowed!="" {print allowed; exit}
+  ' "$WG_CONF" | xargs
+}
+
+routes_without_primary_address() {
+  local allowed_ips="$1"
+  local primary_addr="$2"
+  local out=""
+  local item
+  local norm_primary
+  norm_primary="$(echo "$primary_addr" | xargs)"
+
+  IFS=',' read -ra items <<< "$allowed_ips"
+  for item in "${items[@]}"; do
+    item="$(echo "$item" | xargs)"
+    [[ -z "$item" ]] && continue
+    if [[ -n "$norm_primary" && "$item" == "$norm_primary" ]]; then
+      continue
+    fi
+    if [[ -z "$out" ]]; then
+      out="$item"
+    else
+      out="${out},${item}"
+    fi
+  done
+
+  echo "$out"
+}
+
+apply_client_routes_now() {
+  local routes="${1:-}"
+  [[ -n "$routes" ]] || return 0
+
+  local cidr
+  IFS=',' read -ra cidrs <<< "$routes"
+  for cidr in "${cidrs[@]}"; do
+    cidr="$(echo "$cidr" | xargs)"
+    [[ -n "$cidr" ]] || continue
+    ip route replace "$cidr" dev "$WG_INTERFACE" proto static >/dev/null 2>&1 || true
+  done
+}
+
+remove_client_routes_now() {
+  local routes="${1:-}"
+  [[ -n "$routes" ]] || return 0
+
+  local cidr
+  IFS=',' read -ra cidrs <<< "$routes"
+  for cidr in "${cidrs[@]}"; do
+    cidr="$(echo "$cidr" | xargs)"
+    [[ -n "$cidr" ]] || continue
+    ip route del "$cidr" dev "$WG_INTERFACE" >/dev/null 2>&1 || true
+  done
+}
+
 apply_config() {
   if systemctl is-active --quiet "wg-quick@${WG_INTERFACE}"; then
     wg syncconf "$WG_INTERFACE" <(wg-quick strip "$WG_CONF")
@@ -262,6 +327,7 @@ cmd_add() {
     existing_allowed="${existing_addr:-}"
     if [[ -n "$client_routes" ]]; then
       existing_allowed="${existing_allowed},${client_routes}"
+      apply_client_routes_now "$client_routes"
     fi
     sync_gui_db_upsert_peer "$client_name" "$client_pubkey" "${existing_addr:-}" "$client_routes" "$client_psk" "${existing_allowed}" 1
     cat <<EOF_OUT
@@ -303,6 +369,7 @@ EOF_OUT
   } >> "$WG_CONF"
 
   apply_config
+  apply_client_routes_now "$client_routes"
   sync_gui_db_upsert_peer "$client_name" "$client_pubkey" "$client_address" "$client_routes" "$client_psk" "$peer_allowed_ips" 1
 
   cat <<EOF_OUT
@@ -332,6 +399,10 @@ cmd_remove() {
 
   load_meta
   [[ -f "$WG_CONF" ]] || die "Не найден конфиг WireGuard: $WG_CONF"
+  local existing_allowed existing_addr existing_routes
+  existing_allowed="$(extract_peer_allowed_ips_by_pubkey "$client_pubkey")"
+  existing_addr="$(extract_peer_address_by_pubkey "$client_pubkey")"
+  existing_routes="$(routes_without_primary_address "$existing_allowed" "$existing_addr")"
   backup_file "$WG_CONF"
 
   local tmp
@@ -362,6 +433,7 @@ cmd_remove() {
   safe_chmod_600 "$WG_CONF"
 
   apply_config
+  remove_client_routes_now "$existing_routes"
   sync_gui_db_set_enabled "$client_pubkey" 0
 
   cat <<EOF_OUT