diff --git a/lib/tinc/default.nix b/lib/tinc/default.nix
index 00ef8c4..8dfdcbe 100644
--- a/lib/tinc/default.nix
+++ b/lib/tinc/default.nix
@@ -36,11 +36,15 @@ networkConfiguration:
 					prefixLength = 24;
 				}];
 
-				networking.firewall.allowedTCPPorts = [
-					655
-				];
-
-				networking.firewall.allowedUDPPorts = [
-					655
-				];
+				networking.firewall = {
+					allowedTCPPorts = [
+						655
+					];
+					allowedUDPPorts = [
+						655
+					];
+					trustedInterfaces = [
+						"tinc.cryto"
+					];
+				};
 			}