michaelschiemer/docs/deployment/WIREGUARD-WINDOWS-FIREWALL-SCRIPT.ps1

# WireGuard Windows Firewall - Pr?fung und Fix Script
# Als Administrator ausf?hren!

Write-Host "=== WireGuard Windows Firewall - Pr?fung ===" -ForegroundColor Cyan
Write-Host ""

# Pr?fe ob als Administrator ausgef?hrt
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Host "FEHLER: Script muss als Administrator ausgef?hrt werden!" -ForegroundColor Red
    Write-Host "Rechtsklick auf PowerShell -> 'Als Administrator ausf?hren'" -ForegroundColor Yellow
    exit 1
}

Write-Host "1. Pr?fe Firewall-Status..." -ForegroundColor Green
Get-NetFirewallProfile | Select-Object Name, Enabled | Format-Table -AutoSize

Write-Host ""
Write-Host "2. Pr?fe vorhandene WireGuard Firewall-Regeln..." -ForegroundColor Green
$existingRules = Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*WireGuard*" -or $_.DisplayName -like "*VPN*"}
if ($existingRules) {
    $existingRules | Select-Object DisplayName, Enabled, Direction, Action | Format-Table -AutoSize
} else {
    Write-Host "Keine WireGuard Firewall-Regeln gefunden" -ForegroundColor Yellow
}

Write-Host ""
Write-Host "3. Suche WireGuard-Installationspfad..." -ForegroundColor Green
$wgPath = "C:\Program Files\WireGuard\wireguard.exe"
if (-not (Test-Path $wgPath)) {
    $wgPath = "C:\Program Files (x86)\WireGuard\wireguard.exe"
}
if (-not (Test-Path $wgPath)) {
    Write-Host "WireGuard-Programm nicht gefunden in Standardpfaden" -ForegroundColor Yellow
    Write-Host "Suche in anderen Pfaden..." -ForegroundColor Yellow
    $found = Get-ChildItem "C:\Program Files" -Recurse -Filter "wireguard.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
    if ($found) {
        $wgPath = $found.FullName
        Write-Host "Gefunden: $wgPath" -ForegroundColor Green
    } else {
        Write-Host "WireGuard-Programm nicht gefunden. Bitte Pfad manuell angeben." -ForegroundColor Red
        $wgPath = Read-Host "WireGuard-Programm-Pfad (oder Enter zum ?berspringen)"
    }
} else {
    Write-Host "Gefunden: $wgPath" -ForegroundColor Green
}

Write-Host ""
Write-Host "4. Finde WireGuard Interface..." -ForegroundColor Green
$wgInterface = Get-NetAdapter | Where-Object {$_.Name -like "*grafana-test*" -or $_.Name -like "*WireGuard*"}
if ($wgInterface) {
    Write-Host "Gefunden: $($wgInterface.Name), Index: $($wgInterface.InterfaceIndex)" -ForegroundColor Green
    Get-NetFirewallRule | Where-Object {$_.InterfaceIndex -eq $wgInterface.InterfaceIndex} | Select-Object DisplayName, Enabled, Direction, Action | Format-Table -AutoSize
} else {
    Write-Host "Kein WireGuard Interface gefunden" -ForegroundColor Yellow
}

Write-Host ""
Write-Host "=== M?chtest du Firewall-Regeln erstellen? ===" -ForegroundColor Cyan
Write-Host "1. Programm-Regeln (wenn WireGuard-Pfad gefunden)"
Write-Host "2. Interface-Regeln (wenn WireGuard Interface gefunden)"
Write-Host "3. VPN-Netzwerk-Regeln (10.8.0.0/24)"
Write-Host "4. Alle oben genannten"
Write-Host "5. ?berspringen (nur pr?fen)"
Write-Host ""
$choice = Read-Host "W?hle Option (1-5)"

switch ($choice) {
    "1" {
        if ($wgPath -and (Test-Path $wgPath)) {
            Write-Host "Erstelle Programm-Regeln..." -ForegroundColor Green
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow TCP" -Direction Outbound -Program $wgPath -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow UDP" -Direction Outbound -Program $wgPath -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow Inbound TCP" -Direction Inbound -Program $wgPath -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow Inbound UDP" -Direction Inbound -Program $wgPath -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            Write-Host "Programm-Regeln erstellt" -ForegroundColor Green
        } else {
            Write-Host "Kann Programm-Regeln nicht erstellen: WireGuard-Pfad nicht gefunden" -ForegroundColor Red
        }
    }
    "2" {
        if ($wgInterface) {
            Write-Host "Erstelle Interface-Regeln..." -ForegroundColor Green
            $ifIndex = $wgInterface.InterfaceIndex
            New-NetFirewallRule -DisplayName "WireGuard Interface $($wgInterface.Name) - Allow Outbound" -Direction Outbound -InterfaceIndex $ifIndex -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard Interface $($wgInterface.Name) - Allow Inbound" -Direction Inbound -InterfaceIndex $ifIndex -Action Allow -Enabled True -ErrorAction SilentlyContinue
            Write-Host "Interface-Regeln erstellt" -ForegroundColor Green
        } else {
            Write-Host "Kann Interface-Regeln nicht erstellen: WireGuard Interface nicht gefunden" -ForegroundColor Red
        }
    }
    "3" {
        Write-Host "Erstelle VPN-Netzwerk-Regeln..." -ForegroundColor Green
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Outbound TCP" -Direction Outbound -RemoteAddress "10.8.0.0/24" -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Outbound UDP" -Direction Outbound -RemoteAddress "10.8.0.0/24" -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Inbound TCP" -Direction Inbound -RemoteAddress "10.8.0.0/24" -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Inbound UDP" -Direction Inbound -RemoteAddress "10.8.0.0/24" -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        Write-Host "VPN-Netzwerk-Regeln erstellt" -ForegroundColor Green
    }
    "4" {
        Write-Host "Erstelle alle Regeln..." -ForegroundColor Green
        if ($wgPath -and (Test-Path $wgPath)) {
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow TCP" -Direction Outbound -Program $wgPath -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow UDP" -Direction Outbound -Program $wgPath -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow Inbound TCP" -Direction Inbound -Program $wgPath -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard VPN - Allow Inbound UDP" -Direction Inbound -Program $wgPath -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
            Write-Host "Programm-Regeln erstellt" -ForegroundColor Green
        }
        if ($wgInterface) {
            $ifIndex = $wgInterface.InterfaceIndex
            New-NetFirewallRule -DisplayName "WireGuard Interface $($wgInterface.Name) - Allow Outbound" -Direction Outbound -InterfaceIndex $ifIndex -Action Allow -Enabled True -ErrorAction SilentlyContinue
            New-NetFirewallRule -DisplayName "WireGuard Interface $($wgInterface.Name) - Allow Inbound" -Direction Inbound -InterfaceIndex $ifIndex -Action Allow -Enabled True -ErrorAction SilentlyContinue
            Write-Host "Interface-Regeln erstellt" -ForegroundColor Green
        }
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Outbound TCP" -Direction Outbound -RemoteAddress "10.8.0.0/24" -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Outbound UDP" -Direction Outbound -RemoteAddress "10.8.0.0/24" -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Inbound TCP" -Direction Inbound -RemoteAddress "10.8.0.0/24" -Protocol TCP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        New-NetFirewallRule -DisplayName "WireGuard VPN Network - Allow Inbound UDP" -Direction Inbound -RemoteAddress "10.8.0.0/24" -Protocol UDP -Action Allow -Enabled True -ErrorAction SilentlyContinue
        Write-Host "VPN-Netzwerk-Regeln erstellt" -ForegroundColor Green
    }
    "5" {
        Write-Host "?berspringe Regel-Erstellung" -ForegroundColor Yellow
    }
    default {
        Write-Host "Ung?ltige Option" -ForegroundColor Red
    }
}

Write-Host ""
Write-Host "=== Zusammenfassung ===" -ForegroundColor Cyan
Write-Host "Firewall-Regeln:"
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*WireGuard*" -or $_.DisplayName -like "*VPN*"} | Select-Object DisplayName, Enabled, Direction, Action | Format-Table -AutoSize

Write-Host ""
Write-Host "=== N?chste Schritte ===" -ForegroundColor Cyan
Write-Host "1. WireGuard neu verbinden (Disconnect ? Connect)"
Write-Host "2. Teste: ping 10.8.0.1"
Write-Host "3. Teste: https://grafana.michaelschiemer.de im Browser"
Write-Host "4. Sag mir Bescheid, dann pr?fe ich die Traefik-Logs!"