diff --git a/posts/wireguard.md b/posts/wireguard.md
index 1965af3..c4d0df6 100644
--- a/posts/wireguard.md
+++ b/posts/wireguard.md
@@ -197,17 +197,24 @@ to load the new configuration.
 If your VPN server is on the public internet,
 be sure to have sane firewall rules before doing this.
 
-> Note: If you use UFW as a firewall like me, you'll also [need to set a rule](https://dietpi.com/forum/t/wireguard-no-handshake-established/15979) to let VPN traffic in:
+> Note: If you use [UFW](https://wiki.archlinux.org/title/Uncomplicated_Firewall) as a firewall like me, you'll also [need to set a rule](https://dietpi.com/forum/t/wireguard-no-handshake-established/15979) to let VPN traffic in.
+> Without this, all the `iptables` rules do nothing and your forwarded packets will get blocked.
+> Replace the subnet with your VPN subnet:
 > 
 > ```
 > # ufw allow in from 10.0.0.0/24 to any
 > ```
+
+> Another UFW quirk is that it has its own `sysctl.conf`, which lives at `/etc/ufw/sysctl.conf`.
+> This will override the regular `sysctl` if you follow the instructions above.
+> To prevent it from erasing your changes, uncomment the relevant line:
 >
-> Replace the subnet with your VPN subnet.
-> This isn't obvious at all, so I was lucky to find the forum post linked above.
-> Without this, all the `iptables` rules do nothing and your forwarded packets will get blocked.
-
-
+> ```
+> # /etc/ufw/sysctl.conf
+>
+> # Uncomment this to allow this host to route packets between interfaces
+> net/ipv4/ip_forward=1
+> ```
 
 ### client configuration