WireGuard VPN Iptables Rules

Posted on November 3, 2020 at 11:54 am

Here are “iptables -S” rules for WireGuard VPN server:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i ens2 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

You can allow only safe IP addresses to use WireGuard (order is important):

iptables -A INPUT -s 1.2.3.4/32 -i ens2 -p udp -m udp --dport 51490 -j ACCEPT
iptables -A INPUT -i ens2 -p udp -m udp --dport 51490 -j DROP

First you add the ACCEPT rules and at the end you add the DROP rule.

Here is an example of final iptables rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 1.2.3.4/32 -i ens2 -p udp -m udp --dport 50490 -j ACCEPT
-A INPUT -i ens2 -p udp -m udp --dport 50490 -j DROP
-A FORWARD -i ens2 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

Overwrite 1.2.3.4 with your IP and change port 50490 accordingly.

You may also replace ens2 with your ethernet network interface (e.g eth0).

Updated on November 5, 2020 at 1:48 am

Receive updates via email

Other Posts

Updated Posts