Setting Up a WireGuard Server for Internet Access Only

Setting Up a WireGuard Server for Internet Access Only

To allow WireGuard clients access only to the internet while blocking access to private or local networks connected to the server, we configure specific iptables rules.

For IPv6 traffic, the rules are identical but use the ip6tables command instead of iptables.

Checking Your Network Interface

Before configuring iptables rules, you need to verify the correct name of your server’s internet-facing network interface.

Common names include ens3, eth0, enp1s0, and others, depending on your distribution and environment.

To check the available network interfaces, run:

ip link show

Look for the interface that provides your public internet connection.

You can also identify it by checking the assigned public IP:

ip addr show

In the examples below, we assume the internet-facing interface is named ens3. Replace it with your actual interface name if different.

iptables Rules for Internet-Only Access

Add the following commands to your WireGuard interface configuration (/etc/wireguard/wg0.conf) inside the [Interface] section:

PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT; iptables -A FORWARD -i ens3 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; iptables -A FORWARD -i wg0 ! -o ens3 -j REJECT

PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT; iptables -D FORWARD -i ens3 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; iptables -D FORWARD -i wg0 ! -o ens3 -j REJECT

Explanation of the rules:

  • -A FORWARD -i wg0 -o ens3 -j ACCEPT: Allows traffic from WireGuard clients to the internet.
  • -A FORWARD -i ens3 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT: Allows return traffic from the internet to WireGuard clients.
  • -t nat -A POSTROUTING -o ens3 -j MASQUERADE: Applies NAT (masquerading), replacing client source IPs with the server’s public IP.
  • -A FORWARD -i wg0 ! -o ens3 -j REJECT: Rejects any traffic from clients to non-internet destinations (e.g., private networks).

When the interface is stopped (PostDown), the rules are removed automatically.

Note

For IPv6 traffic, replicate the same rules using ip6tables instead of iptables.

When Using Docker

If you run WireGuard inside a Docker container:

  • In bridge mode, the network interface visible inside the container will be a virtual interface (like eth0), not the actual physical interface (ens3 or eth0 on the host).
  • As a result, the iptables rules targeting the server’s real internet interface will not apply correctly.

If you must run it in a container, adjust the interface names and rules according to the container’s network setup.