Wireguard server behind ufw firewall

My network devices:
router <-> gateway <-> local devices/servers

The gateway is running dietpi on a windows 10/hyper-v virtual machine.
Behind the ufw firewall on the gateway I run a reverse proxy, PiVPN, a wireguard server, and a pihole/unbound DNS server.
The ufw allowed (local) ports are: 22, 137, 138, 139, 445, 53 from

My problem: I can only access the local devices/servers either with the kill-switch off in wireguard and default ufw input “DENY”, or - when the kill switch is activated - by setting default ufw input to “ACCEPT” in /etc/default/ufw. Then everything runs fine, but I would prefer “DENY” as default ufw input rule with the kill-switch activated.

Following the approach in:
would these additions to /dietpi/dietpi-vpn solve this problem?:
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT

Or is there a better way to achieve my preferred configuration?
Thanks in advance,

In following up on my previous message and the discussion in
I added the following rule to the killswitch.rules in /boot/dietpi/dietpi-vpn


and set DEFAULT_INPUT_POLICY=“DROP” in /etc/default/ufw

ufw status is now: Default: deny (incoming), allow (outgoing), deny (routed)
kill-switch in wireguard: activated

It indeed seems to allow all local traffic to the gateway, which is fine with me.
This thus solves my problem, but is this the best solution?

Accepting input only from the local subnet is enough.

Thanks, good to know.
However, my local devices lost access to the pihole-DNS server behind the firewall of the gateway. I have not been able to figure out how that can be resolved. Any suggestions?

Allow also for forward, not only input.

Solved: I educated myself a bit, and started the gateway from scratch, also because I wanted to run bullseye. I dropped the ufw, since the gateway is behind the router-firewall anyway. It now works without problems with wireguard, pihole, and nginx for reverse proxy access. Thanks for the exellent dietpi documentation and support!