WireGuard and ConfigServer Firewall (CSF)
Oct-2021
When running a WireGuard server behind ConfigServer Firewall (CSF), a few changes will need to be made to the CSF config in order to properly forward traffic between WireGuard clients, and also allow WireGuard traffic through the firewall in the first place.
First, we need to open the WireGuard UDP port in /etc/csf/csf.conf. WireGuard runs on UDP port 51820 by default. To verify, check the WireGuard tunnel config to be sure (for example, in /etc/wireguard/wg0.conf).
Open /etc/csf/csf.conf and add the port to the following lines:
UDP_IN =
UDP_OUT =
UDP6_IN =
UDP6_OUT =
Save your changes and restart CSF:
csf -r
Now, we are going to add a script that will run every time CSF is started or restarted. The location and name of the file matters:
/etc/csf/csfpost.sh
Insert the following into that file:
#!/bin/bash
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.66.66.0/24 -j MASQUERADE
/usr/sbin/iptables -A INPUT -i wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -o wg0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Make sure to change 10.11.22.0/24 above to match the WireGuard network that you have configured in wg0.conf.
Let’s make our script executable:
chmod +x /etc/csf/csfpost.sh
Save your changes and restart CSF one more time:
csf -r
At this point, you should be able to communicate from one WireGuard client to another, with that traffic being routed through your WireGuard server. If you’re unable to connect, check your client and server configurations, and make sure both clients have active tunnels.
The above has been tested on a system running Rocky Linux 8.4.