IPTables
Server
Basic WireGuard access
Allow WireGuard UDP port:
iptables -A INPUT -p udp --dport 51820 -j ACCEPTAllow established traffic back in
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTEnable VPN forwarding (core VPN function)
Allow VPN -> LAN forwarding:
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPTAllow return traffic:
iptables -A FORWARD -i eth0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPTNAT (internet sharing via VPN)
Masquerade VPN subnet to WAN:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADERestrict VPN access
Warning
These commands will cut your regular Internet access. Only run them if you know what you’re doing and intend to allow traffic only over the VPN.
Allow only SSH from VPN
iptables -A INPUT -i wg0 -p tcp --dport 22 -j ACCEPTDrop everything else from VPN interface
iptables -A INPUT -i wg0 -j DROPClient
Basic VPN interface rules
Allow outbound VPN traffic
iptables -A OUTPUT -o wg0 -j ACCEPTAllow responses from VPN
iptables -A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPTStrict lockdown
Warning
This command will isolate the machine from non-wireguard networks. Only run if if you know what you’re doing and intend to allow traffic only over the VPN.
Block all non-loopback inbound traffic
iptables -A INPUT ! -i lo -j DROPLast updated on