Skip to content

Firewalld

Server

Create dedicated zone

firewall-cmd --permanent --new-zone=wireguard

Assign interface

firewall-cmd --permanent --zone=wireguard --add-interface=wg0

Allow WireGuard port

firewall-cmd --permanent --add-port=51820/udp

Allow all traffic from VPN zone

firewall-cmd --permanent --zone=wireguard --set-target=ACCEPT

NAT (internet sharing)

firewall-cmd --permanent --add-masquerade

Enable forwarding

firewall-cmd --permanent --zone=wireguard --add-forward

Allow only SSH from VPN

firewall-cmd --permanent --zone=wireguard --add-service=ssh

Allow HTTP/HTTPS

firewall-cmd --permanent --zone=wireguard --add-service=http
firewall-cmd --permanent --zone=wireguard --add-service=https

Drop connections that aren’t explicitly allowed

firewall-cmd --permanent --zone=wireguard --set-target=DROP

Client

Trust WireGuard interface

firewall-cmd --permanent --zone=trusted --add-interface=wg0

Set default zone to drop

firewall-cmd --set-default-zone=drop

Allow loopback implicitly

firewall-cmd --permanent --zone=trusted --add-interface=lo
Last updated on