posts/wireguard: ufw note
This commit is contained in:
parent
b82f96ecd6
commit
fd61bccfeb
GPG Key ID:
7225FE3592EFFA38
@ -197,17 +197,24 @@ to load the new configuration.
|
||||
If your VPN server is on the public internet,
|
||||
be sure to have sane firewall rules before doing this.
|
||||
|
||||
> Note: If you use UFW as a firewall like me, you'll also [need to set a rule](https://dietpi.com/forum/t/wireguard-no-handshake-established/15979) to let VPN traffic in:
|
||||
> Note: If you use [UFW](https://wiki.archlinux.org/title/Uncomplicated_Firewall) as a firewall like me, you'll also [need to set a rule](https://dietpi.com/forum/t/wireguard-no-handshake-established/15979) to let VPN traffic in.
|
||||
> Without this, all the `iptables` rules do nothing and your forwarded packets will get blocked.
|
||||
> Replace the subnet with your VPN subnet:
|
||||
>
|
||||
> ```
|
||||
> # ufw allow in from 10.0.0.0/24 to any
|
||||
> ```
|
||||
|
||||
> Another UFW quirk is that it has its own `sysctl.conf`, which lives at `/etc/ufw/sysctl.conf`.
|
||||
> This will override the regular `sysctl` if you follow the instructions above.
|
||||
> To prevent it from erasing your changes, uncomment the relevant line:
|
||||
>
|
||||
> Replace the subnet with your VPN subnet.
|
||||
> This isn't obvious at all, so I was lucky to find the forum post linked above.
|
||||
> Without this, all the `iptables` rules do nothing and your forwarded packets will get blocked.
|
||||
|
||||
|
||||
> ```
|
||||
> # /etc/ufw/sysctl.conf
|
||||
>
|
||||
> # Uncomment this to allow this host to route packets between interfaces
|
||||
> net/ipv4/ip_forward=1
|
||||
> ```
|
||||
|
||||
### client configuration
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user