Client: auto-enable LAN forwarding/NAT; GUI: relax online status window

client/install_client.sh

@@ -24,6 +24,7 @@ SSH_PASSWORD=""
 
 KEEPALIVE="25"
 CLIENT_ADDRESS_PREFIX="24"
+FORWARDING_MODE="disabled"
 
 usage() {
   cat <<'USAGE'
@@ -303,6 +304,12 @@ build_allowed_ips() {
 build_route_hooks_if_needed() {
   PRE_UP=""
   POST_DOWN=""
+  POST_UP_EXTRA_1=""
+  POST_UP_EXTRA_2=""
+  POST_UP_EXTRA_3=""
+  POST_DOWN_EXTRA_1=""
+  POST_DOWN_EXTRA_2=""
+  POST_DOWN_EXTRA_3=""
 
   if [[ "$TUNNEL_MODE" != "full" ]]; then
     return
@@ -321,6 +328,39 @@ build_route_hooks_if_needed() {
   fi
 }
 
+detect_iface_for_cidr() {
+  local cidr="$1"
+  ip -4 route show "$cidr" 2>/dev/null | awk '{for (i=1; i<=NF; i++) if ($i=="dev") {print $(i+1); exit}}'
+}
+
+build_lan_nat_hooks_if_needed() {
+  [[ -n "$ADVERTISE_SUBNETS" ]] || return
+
+  local first_cidr lan_iface wg_net
+  first_cidr="$(echo "$ADVERTISE_SUBNETS" | awk -F',' '{gsub(/ /,"",$1); print $1}')"
+  lan_iface="$(detect_iface_for_cidr "$first_cidr" || true)"
+  [[ -n "$lan_iface" ]] || lan_iface="$(detect_default_iface || true)"
+  [[ -n "$lan_iface" ]] || { log_warn "Не удалось определить LAN-интерфейс для NAT/forwarding."; return; }
+
+  wg_net="${SERVER_WG_NETWORK:-10.66.66.0/24}"
+
+  local fwd="/etc/sysctl.d/99-wireguard-client-forwarding.conf"
+  cat > "$fwd" <<EOF_FWD
+net.ipv4.ip_forward=1
+EOF_FWD
+  sysctl --system >/dev/null || true
+
+  POST_UP_EXTRA_1="PostUp = iptables -C FORWARD -i ${WG_INTERFACE} -o ${lan_iface} -j ACCEPT 2>/dev/null || iptables -A FORWARD -i ${WG_INTERFACE} -o ${lan_iface} -j ACCEPT"
+  POST_UP_EXTRA_2="PostUp = iptables -C FORWARD -i ${lan_iface} -o ${WG_INTERFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || iptables -A FORWARD -i ${lan_iface} -o ${WG_INTERFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT"
+  POST_UP_EXTRA_3="PostUp = iptables -t nat -C POSTROUTING -s ${wg_net} -o ${lan_iface} -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -s ${wg_net} -o ${lan_iface} -j MASQUERADE"
+
+  POST_DOWN_EXTRA_1="PostDown = iptables -D FORWARD -i ${WG_INTERFACE} -o ${lan_iface} -j ACCEPT 2>/dev/null || true"
+  POST_DOWN_EXTRA_2="PostDown = iptables -D FORWARD -i ${lan_iface} -o ${WG_INTERFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true"
+  POST_DOWN_EXTRA_3="PostDown = iptables -t nat -D POSTROUTING -s ${wg_net} -o ${lan_iface} -j MASQUERADE 2>/dev/null || true"
+
+  FORWARDING_MODE="enabled via ${lan_iface} (wg:${wg_net})"
+}
+
 build_client_interface_address() {
   local ip_only
   ip_only="${CLIENT_ADDRESS%%/*}"
@@ -360,6 +400,14 @@ write_client_config() {
     if [[ -n "$POST_DOWN" ]]; then
       echo "$POST_DOWN"
     fi
+    if [[ -n "$POST_UP_EXTRA_1" ]]; then
+      echo "$POST_UP_EXTRA_1"
+      echo "$POST_UP_EXTRA_2"
+      echo "$POST_UP_EXTRA_3"
+      echo "$POST_DOWN_EXTRA_1"
+      echo "$POST_DOWN_EXTRA_2"
+      echo "$POST_DOWN_EXTRA_3"
+    fi
     echo
     echo "[Peer]"
     echo "PublicKey = ${SERVER_PUBLIC_KEY}"
@@ -403,6 +451,7 @@ Endpoint сервера:     ${SERVER_ENDPOINT}
 SSH сервер:           ${SERVER_USER}@${SERVER_HOST}:${SSH_PORT}
 Статус регистрации:   ${SERVER_STATUS}
 Сети за клиентом:     ${ADVERTISE_SUBNETS:-не объявлены}
+LAN forwarding/NAT:   ${FORWARDING_MODE}
 Лог:                  ${LOG_FILE}
 =================================================
 EOF_SUMMARY
@@ -434,6 +483,7 @@ main() {
   build_allowed_ips
   build_client_interface_address
   build_route_hooks_if_needed
+  build_lan_nat_hooks_if_needed
   write_client_config
   apply_client_config
   print_summary