Firewalld
Server
Create dedicated zone
firewall-cmd --permanent --new-zone=wireguardAssign interface
firewall-cmd --permanent --zone=wireguard --add-interface=wg0Allow WireGuard port
firewall-cmd --permanent --add-port=51820/udpAllow all traffic from VPN zone
firewall-cmd --permanent --zone=wireguard --set-target=ACCEPTNAT (internet sharing)
firewall-cmd --permanent --add-masqueradeEnable forwarding
firewall-cmd --permanent --zone=wireguard --add-forwardAllow only SSH from VPN
firewall-cmd --permanent --zone=wireguard --add-service=sshAllow HTTP/HTTPS
firewall-cmd --permanent --zone=wireguard --add-service=http
firewall-cmd --permanent --zone=wireguard --add-service=httpsDrop connections that aren’t explicitly allowed
firewall-cmd --permanent --zone=wireguard --set-target=DROPClient
Trust WireGuard interface
firewall-cmd --permanent --zone=trusted --add-interface=wg0Set default zone to drop
firewall-cmd --set-default-zone=dropAllow loopback implicitly
firewall-cmd --permanent --zone=trusted --add-interface=loLast updated on