Question

How to use WireGuard with DigitalOcean Cloud Firewall

Posted on January 22, 2025
VPN Cloud Firewalls
Asked by ThrivenGeek

I recently deployed a droplet with WGDashboard so I could VPN into my private network and access other droplets. It seemed to work great until I decided to apply a cloud firewall to one of the droplets running a webserver. As soon as I applied the firewall I could no longer access that droplet over the VPN. Even if I allow all TCP and UDP connections it still does not work. If I remove the cloud firewall from the droplet access is restored. Is this expected behavior?

My end goal is to be able to restrict public vs private access. Example, being able to access Portainer over the VPN but not over the web.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo

Site Moderator

• January 23, 2025

Heya, @thrivengeek

DigitalOcean’s Cloud Firewalls apply their rules at the network level, outside the droplet itself. This can inadvertently block VPN traffic if the firewall rules are not explicitly configured to allow traffic from your VPN.

You can open the Cloud Firewall settings and add a rule to allow traffic from your VPN subnet:

Protocol: TCP/UDP
Ports: The ports you want accessible over the VPN (e.g., 9000 for Portainer, 80/443 for web).
Source: 10.8.0.0/24 (or whatever your VPN subnet is).

Regards