Firewall Rules
The Rules page (/admin/rules) manages network policies and per-user firewall rules enforced via nftables.
Global toggles that control broad network behavior:
- Allow peer-to-peer communication - When enabled, VPN clients can communicate directly with each other through the WireGuard tunnel
- Allow local network to reach peers - When enabled, devices on the server's local network can reach VPN clients. Important: your LAN router also needs a static route for the WireGuard subnet — see LAN-to-Peer Routing for setup instructions.
These policies are applied immediately when toggled.
Fine-grained firewall rules that control what traffic VPN clients can send. Rules can be scoped globally (all users) or to a specific user.
| Column | Description |
|---|---|
| Action |
accept or drop
|
| Destination | Target IP/CIDR (e.g., 10.0.0.0/8, 0.0.0.0/0) |
| Port Type |
tcp, udp, or any
|
| Port Range | Specific port or range (e.g., 80, 443, 8000-9000), or any
|
| User | The user this rule applies to, or Global for all users |
Click Add Rule to open the creation dialog.
- Destination (required) - Target IP address or CIDR range
-
Action -
acceptto allow traffic,dropto block it -
Port Type - Protocol filter:
tcp,udp, orany - Port Range - Port number or range (leave empty for all ports)
-
User - Scope to a specific user, or leave as
Global
Rules are applied to the nftables ruleset immediately upon creation.
The bottom section provides a button to view the current nftables ruleset for debugging. This shows the raw nftables rules as applied on the server, useful for verifying that firewall rules are correctly translated.