diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index 399f487..d9d2023 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -213,8 +213,8 @@ in {
         echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
 
         # Block all traffic from VPN interface except for traffic that is from the forwarded port
-        iptables -I INPUT -i ${cfg.interfaceName} -j DROP
-        iptables -I INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
+        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
 
         # The first port refresh triggers the port to be actually allocated
         ${refreshPIAPort}
diff --git a/common/network/vpn.nix b/common/network/vpn.nix
index 5854692..a107a35 100644
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -75,7 +75,11 @@ in
         # speeds up evaluation
         nixpkgs.pkgs = pkgs;
 
-        networking.firewall.enable = mkForce false;
+        # networking.firewall.enable = mkForce false;
+        networking.firewall.trustedInterfaces = [
+          # completely trust internal interface to host
+          "eth0"
+        ];
 
         pia.openvpn.enable = cfg.useOpenVPN;
         pia.openvpn.server = "swiss.privacy.network"; # swiss vpn