Skip to content

UFW

Server

Allow Wireguard UDP port

ufw allow 51820/udp

Allow forwarding from VPN to LAN

ufw route allow in on wg0 out on eth0

Enable forwarding in config

Edit /etc/default/ufw, set DEFAULT_FORWARD_POLICY="ACCEPT". Add this value on a newline if it does not exist already.

NAT (internet sharing)

Edit /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

COMMIT

SSH access via VPN

ufw allow in on wg0 to any port 22 proto tcp

HTTP/HTTPS via VPN

ufw allow in on wg0 to any port 80 proto tcp
ufw allow in on wg0 to any port 443 proto tcp

Allow specific ports

ufw route allow in on wg0 to any port 22
ufw route allow in on wg0 to any port 443

Deny inbound VPN traffic

ufw route deny in on wg0

Client

Allow all outgoing traffic

ufw default allow outgoing

Allow WireGuard interface outbound explicitly

ufw allow out on wg0

Deny all incoming

ufw default deny incoming

Allow loopback

ufw allow in on lo
Last updated on