diff --git a/roles/base/tasks/wireguard.yml b/roles/base/tasks/wireguard.yml
index 698c560..21a3be1 100644
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -27,3 +27,10 @@
     name: wg-quick@wg0
     state: started
     enabled: true
+
+- name: Add WireGuard firewall rule
+  ufw:
+    rule: allow
+    port: "{{ wireguard.listenport }}"
+    proto: tcp
+  when: wireguard.listenport is defined