Pre-requisites:
These instructions are for allowing traffic on a LAN. An Internet-connected server would also allow connections on public networks.
Install ufw package:
sudo apt install ufw
Enable the firewall:
sudo ufw enable
Show the current status (it can be used later to review rules you added):
sudo ufw status verbose
Determine the local IPv6 address:
ip -6 --brief addr show dev eth0 scope link
Allow SSH access from link local network (fe80::):
sudo ufw allow from fe80::/64 to any port 22 proto tcp
Allow HTTPS access to local and loopback:
sudo ufw allow from fe80::/64 to any port 443 proto tcp
sudo ufw allow from ::1 to any port 443 proto tcp
If you were listening for VPN (a VPN client does not need this)
sudo ufw allow from 2001:db8:4410:a000::0001/64 to any port 4500 proto tcp
Example to delete a single rule:
sudo ufw status numbered
sudo ufw delete 3
A WireGuard VPN client should use keep-alive packets to maintain the connection through the firewall
Add keep-alive packets to your wg0 adapter:
vi /etc/systemd/network/99-wg0.netdev
Add the PersistentKeepalive option under [WireGuardPeer]
[WireGuardPeer]
#Other options
PersistentKeepalive = 25
Restart systemd networking service:
sudo systemctl restart systemd-networkd
Check the status of wg0 VPN:
sudo wg show wg0
You should see a recent "latest handshake".