diff --git a/docs/guides/vpn/wireguard/internal.md b/docs/guides/vpn/wireguard/internal.md
index 1c2f91af5..bd455113c 100644
--- a/docs/guides/vpn/wireguard/internal.md
+++ b/docs/guides/vpn/wireguard/internal.md
@@ -84,6 +84,31 @@ The rules will then be cleared once the tunnel is down.
 
     The important change is the extra `PostUp` and `PostDown` in the `[Interface]` section.
 <!-- markdownlint-enable code-block-style -->
+
+### `ufw`
+
+If you are using UFW the above doesn't work and you will need to edit `/etc/ufw/before.rules`:
+
+Insert this into the before.rules file but **before** the FIRST commit line:
+
+```bash
+# allow forwarding for trusted network
+-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
+-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT
+```
+
+For IPv6 you need to do the same but at `/etc/ufw/before6.rules`:
+
+Put the following near the bottom but **before** the first COMMIT line:
+
+```bash
+# allow forwarding for trusted network
+-A ufw6-before-forward -s fd08:4711::/64 -j ACCEPT
+-A ufw6-before-forward -d fd08:4711::/64 -j ACCEPT
+```
+
+Restart ufw for the changes to take effect: `systemctl restart ufw`
+
 ## Allow clients to access other devices
 
 In our standard configuration, we have configured the clients in such a way that they can only speak to the server. Add the network range of your local network in CIDR notation (e.g., `192.168.2.1 - 192.168.2.254` -> `192.168.2.0/24`) in the `[Peers]` section of all clients you want to have this feature: