I have recently set up a headless Rasperry Pi, using Raspberry Pi OS Lite.
I set up Wireguard and some UFW rules.
The outcome that I would like to have:
- all network traffic is blocked except for traffic that goes through the wireguard connection
- basically: the vpn would be on all the time. if the vpn is not on, then the pi should not communicate to the outside world
so these are the UFW settings that I set up:
# Reset existing rules to start fresh
sudo ufw reset
# Set default deny policies
sudo ufw default deny incoming
sudo ufw default deny outgoing
# Allow all incoming and outgoing traffic on wg0
sudo ufw allow in on wg0 from any to any
sudo ufw allow out on wg0 from any to any
# Specific allowances (local network and torrent client port)
sudo ufw allow from 192.168.178.0/24
sudo ufw allow to 192.168.178.0/24
sudo ufw allow in 51413/tcp
# Enable UFW
sudo ufw enable
for wireguard I saved the config as /etc/wireguard/wg0.conf and using it looks promising.
- running wireguard itself works (I checked with
sudo wg show-> it shows the interface for wg0) - setting the UFW rules works (I checked with
sudo ufw status)
sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere on wg0 ALLOW Anywhere
Anywhere ALLOW 192.168.178.0/24
192.168.178.0/24 ALLOW Anywhere
51413/tcp ALLOW Anywhere
Anywhere (v6) on wg0 ALLOW Anywhere (v6)
51413/tcp (v6) ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on wg0
Anywhere (v6) ALLOW OUT Anywhere (v6) on wg0
However, I am observing that the behaviour is not exactly what I hoped to get. basically the pi can't connect to the outside... what did I miss?
