diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index d771613..d861865 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -15,7 +17,6 @@ defaults = {
     'iptables': {
         'bundle_rules': {
             'wireguard': [
-                'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
                 'iptables_both -A FORWARD -i wg0 -j ACCEPT',
                 'iptables_both -A FORWARD -o wg0 -j ACCEPT',
             ],
@@ -102,3 +103,16 @@ def icinga2(metadata):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '51820/udp': atomic(metadata.get('wireguard/restrict-to', set(metadata.get('wireguard/peers', {}).keys()))),
+            },
+        },
+    }
diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py
index b1c9e12..2d6efba 100644
--- a/nodes/ovh/wireguard.py
+++ b/nodes/ovh/wireguard.py
@@ -37,6 +37,9 @@ nodes['ovh.wireguard'] = {
                     'exclude_from_monitoring': True,
                 },
             },
+            'restrict-to': {
+                '*',
+            },
         },
     },
 }