diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..126b1d4
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.32.1"
+  constraints = "~> 1.32.1"
+  hashes = [
+    "h1:RfLu8m+y3fKf5FrDJarSp06KS4R75yZxPy9n+Df5PjM=",
+    "zh:043e941caf46b3a37cae5f2f9c1b7ce2b30f0b492bada6f3d8d6a7384f5cb7b2",
+    "zh:055835d483dd172e7b0e500f9dd789353e32c9328d51793b8d88451df4e92067",
+    "zh:3dd5a0006ab7f464a2bca8c5a46e583c6f09ba66aeff1ca847397b61fc823597",
+    "zh:3f0444956fdcb059ee9ea54f51af016d86f297477335f519256ca158a75c5e59",
+    "zh:569a80f0c9e2f5fb121d9050bc10d6e6ba30507e2e985b809a2613dcb5bdc095",
+    "zh:5e7e8499e62408d784d4c886827d421962134a3efda5f5f4f8794f9b1c17190c",
+    "zh:67b48380e144ba4c31fff41442cbf53463eba285321d4283430b605285048923",
+    "zh:7ddc434dbefecc6b1934f683f54ad5552c9e466b5e256b9cfe67f7b28ffecc7d",
+    "zh:87c0b5f4f6b3121cc81935ccb8598a58bda20c7f96f8a4270ecb0b6b2096ba40",
+    "zh:891d2234146c3fbc2fe6d2a0c176cefd01d16d2d1d25eebe6e15909aac4a1ddf",
+    "zh:a90ced7f84d8bdd64afd00c69ea9e2b1ed43314da020860c31ff266b3716d1f0",
+    "zh:b8c86266d9f4ae4d2cca8f3f7d58a48d0c000f16aa21a733bb81c760efa690f7",
+    "zh:bf8fdd6eb8619dc20d85d418ed910a79af0b28bf79ac3a4029f0d0ae032c9c7d",
+    "zh:d6d87b405c0fd5e576a7e0a8976689d555299806484fdacca205537367d92f37",
+  ]
+}
diff --git a/terraform/main.tf b/terraform/main.tf
index 7aba9be..128e3f3 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     hcloud = {
       source = "hetznercloud/hcloud"
-      version = "~> 1.26.2"
+      version = "~> 1.32.1"
     }
   }
 }
@@ -16,23 +16,59 @@ data "hcloud_image" "wg_image" {
   most_recent   = true
 }
 
-resource "hcloud_ssh_key" "wg_server_ssh_key" {
-  public_key = var.wg_server_ssh_publickey
-  name       = var.wg_server_ssh_publickey_name
+resource "hcloud_firewall" "wg_firewall" {
+  name   = var.wg_firewall_name
+  labels = { service = "wireguard" }
+  rule {
+    description = "ICMP"
+    direction   = "in"
+    protocol    = "icmp"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "SSH"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "122"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "51820"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "53"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+  rule {
+    description = "WireGuard"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "443"
+    source_ips  = ["0.0.0.0/0", "::0/0"]
+  }
+}
+
+resource "hcloud_ssh_key" "wg_ssh_key" {
+  public_key = var.wg_ssh_publickey
+  name       = var.wg_ssh_publickey_name
 }
 
 resource "hcloud_server" "wg_server" {
-  image       = data.hcloud_image.wg_image.id
-  name        = var.wg_server_name
-  server_type = var.wg_server_type
-  location    = var.wg_server_location
-  labels = {
-    service = "wireguard"
-  }
-  ssh_keys = [
-    hcloud_ssh_key.wg_server_ssh_key.id
-  ]
-  user_data = templatefile("${path.module}/templates/user-data.tpl", {
+  image        = data.hcloud_image.wg_image.id
+  name         = var.wg_server_name
+  server_type  = var.wg_server_type
+  location     = var.wg_server_location
+  labels       = { service = "wireguard" }
+  firewall_ids = [hcloud_firewall.wg_firewall.id]
+  ssh_keys     = [hcloud_ssh_key.wg_ssh_key.id]
+  user_data    = templatefile("${path.module}/templates/user-data.tpl", {
     wg_server_wg_privatekey      = var.wg_server_wg_privatekey
     wg_server_wg_peer_publickeys = var.wg_server_wg_peer_publickeys
   })
diff --git a/terraform/terraform.tfvars.sample b/terraform/terraform.tfvars.sample
index 3cf04e3..33300a4 100644
--- a/terraform/terraform.tfvars.sample
+++ b/terraform/terraform.tfvars.sample
@@ -4,8 +4,10 @@ wg_server_name     = ""
 wg_server_type     = ""
 wg_server_location = ""
 
-wg_server_ssh_publickey      = ""
-wg_server_ssh_publickey_name = ""
-
 wg_server_wg_privatekey      = ""
 wg_server_wg_peer_publickeys = []
+
+wg_firewall_name = ""
+
+wg_ssh_publickey      = ""
+wg_ssh_publickey_name = ""
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 0ffb128..3de93a4 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -22,22 +22,30 @@ variable "wg_server_location" {
   default     = "fsn1"
 }
 
-variable "wg_server_ssh_publickey" {
-  type        = string
-  description = "SSH public key"
-}
-
-variable "wg_server_ssh_publickey_name" {
-  type        = string
-  description = "SSH public key name"
-}
-
 variable "wg_server_wg_privatekey" {
   type        = string
   description = "WireGuard private key"
+  default     = ""
 }
 
 variable "wg_server_wg_peer_publickeys" {
   type        = list(string)
   description = "WireGuard peer public keys"
+  default     = []
+}
+
+variable "wg_firewall_name" {
+  type        = string
+  description = "Firewall name"
+  default     = "wireguard"
+}
+
+variable "wg_ssh_publickey" {
+  type        = string
+  description = "SSH public key"
+}
+
+variable "wg_ssh_publickey_name" {
+  type        = string
+  description = "SSH public key name"
 }