Configure FirewallD for a Wireguard Point-to-Site

Last updated October 14, 2023

First you should create the zone for Wireguard.

1

sudo firewall-cmd --permanent --new-zone=wg0

Then you should bind the Wireguard interface (we assume that it’s also called wg0) to the zone. If your Wireguard interface is managed by NetworkManager it can be done with:

1
2

sudo nmcli connection modify wg0 connection.zone wg0
sudo nmcli connection up wg0

Now create a FirewallD policy to allow the Wireguard traffic to be forwarded to your public interface.

1

sudo firewall-cmd --permanent --new-policy=wg0topublic

Bind the policy so it applies to traffic coming from Wireguard to the public network.

1
2

sudo firewall-cmd --policy=wg0topublic --add-ingress-zone=wg0
sudo firewall-cmd --policy=wg0topublic --add-egress-zone=public

If you want to allow Wireguard’s traffic to go anywhere set

1

sudo firewall-cmd --permanent --policy=wg0topublic --set-target=ACCEPT

On the other hand, if you prefer to only allow it to go to a subset of ports and destinations then you can add rules like this one

1
2
3
4
5

# Allow http traffic to the server on 192.168.1.22
sudo firewall-cmd --policy=wg0topublic --add-rich-rule='rule family="ipv4" destination address="192.168.1.22" service name="http" accept'

# Allow client 10.0.0.1 to send  DNS (udp) traffic to servers on the 1.0.0.0/8 subnet.
sudo firewall-cmd --policy=wg0topublic --add-rich-rule='rule family="ipv4" source address="10.0.0.1" destination address="1.0.0.0/8" port port="53" protocol="udp" accept'

You probably want to Masquerade the traffic coming from your VPN:

1

sudo firewall-cmd --permanent --policy wg0topublic --add-masquerade

Reload Firewalld to load the new changes. Be aware that all your runtime configurations will be lost.

1

sudo firewall-cmd --reload

Claudio4's wiki

Configure FirewallD for a Wireguard Point-to-Site

Useful documentations

Backlinks

Interactive Graph