UFW: allow WireGuard, block everything else

Updated: February 2026

A WireGuard server should expose very little. The usual baseline is: deny all inbound, allow SSH, and allow UDP 51820 (or whatever WireGuard port you chose).

Don’t lock yourself out: ensure you can access a provider console before tightening firewall rules.

If you’re new to VPS security, start with our Ubuntu VPS hardening checklist.

Assumptions

Ubuntu/Debian server
WireGuard listens on 51820/udp (default)
You need SSH access (22/tcp)

1) Install UFW (if needed)

sudo apt update
sudo apt install -y ufw

2) Set safe defaults

sudo ufw default deny incoming
sudo ufw default allow outgoing

3) Allow SSH first

sudo ufw allow OpenSSH
# or: sudo ufw allow 22/tcp

Do this before enabling UFW. Always.

4) Allow WireGuard

sudo ufw allow 51820/udp

If you changed WireGuard’s port, allow your chosen port instead. Also remember: your provider firewall must allow this too.

5) Enable and verify

sudo ufw enable
sudo ufw status verbose

Verification checklist:

You can still SSH in from a second terminal.
WireGuard peers can handshake (check wg show).
No other inbound ports are open.

sudo wg show
ss -lunpt | grep -E ':51820\b' || true

Common mistakes

Forgetting the provider firewall (cloud control panel) still blocks 51820/udp.
Allowing only TCP 51820 (WireGuard is UDP).
Enabling UFW before allowing SSH.

Need a WireGuard install with sane firewall posture?

SecureVoice can deliver a fixed-scope WireGuard setup with a documented handover.

See Services →