--- a/src/os.c	2019-12-06 19:49:50.323898270 +0100
+++ b/src/os.c	2019-12-06 19:54:20.987206244 +0100
@@ -445,24 +445,28 @@
 #ifdef __linux__
         static const char
             *set_cmds[] =
-                { "sysctl net.ipv4.ip_forward=1",
-                  "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
+                { "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
                   "ip -6 addr add $LOCAL_TUN_IP6 peer $REMOTE_TUN_IP6/96 dev $IF_NAME",
                   "ip link set dev $IF_NAME up",
+#ifndef NO_DEFAULT_FIREWALL
+                  "sysctl net.ipv4.ip_forward=1",
                   "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                   "--src-type LOCAL -j DROP",
                   "iptables -t nat -A POSTROUTING -o $EXT_IF_NAME -s $REMOTE_TUN_IP -j MASQUERADE",
                   "iptables -t filter -A FORWARD -i $EXT_IF_NAME -o $IF_NAME -m state --state "
                   "RELATED,ESTABLISHED -j ACCEPT",
                   "iptables -t filter -A FORWARD -i $IF_NAME -o $EXT_IF_NAME -j ACCEPT",
+#endif
                   NULL },
             *unset_cmds[] = {
+#ifndef NO_DEFAULT_FIREWALL
                 "iptables -t nat -D POSTROUTING -o $EXT_IF_NAME -s $REMOTE_TUN_IP -j MASQUERADE",
                 "iptables -t filter -D FORWARD -i $EXT_IF_NAME -o $IF_NAME -m state --state "
                 "RELATED,ESTABLISHED -j ACCEPT",
                 "iptables -t filter -D FORWARD -i $IF_NAME -o $EXT_IF_NAME -j ACCEPT",
                 "iptables -t raw -D PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                 "--src-type LOCAL -j DROP",
+#endif
                 NULL
             };
 #elif defined(__APPLE__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
@@ -503,12 +507,17 @@
 #elif defined(__linux__)
         static const char
             *set_cmds[] =
-                { "sysctl net.ipv4.tcp_congestion_control=bbr",
+                { 
+#ifndef NO_DEFAULT_CONGESTION
+                  "sysctl net.ipv4.tcp_congestion_control=bbr",
+#endif
                   "ip link set dev $IF_NAME up",
-                  "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
-                  "--src-type LOCAL -j DROP",
                   "ip addr add $LOCAL_TUN_IP peer $REMOTE_TUN_IP dev $IF_NAME",
                   "ip -6 addr add $LOCAL_TUN_IP6 peer $REMOTE_TUN_IP6/96 dev $IF_NAME",
+#ifndef NO_DEFAULT_FIREWALL
+                  "iptables -t raw -I PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
+                  "--src-type LOCAL -j DROP",
+#endif
 #ifndef NO_DEFAULT_ROUTES
                   "ip route add default dev $IF_NAME table 42069",
                   "ip -6 route add default dev $IF_NAME table 42069",
@@ -525,8 +534,10 @@
                 "ip rule delete table main suppress_prefixlength 0",
                 "ip -6 rule delete table main suppress_prefixlength 0",
 #endif
+#ifndef NO_DEFAULT_FIREWALL
                 "iptables -t raw -D PREROUTING ! -i $IF_NAME -d $LOCAL_TUN_IP -m addrtype ! "
                 "--src-type LOCAL -j DROP",
+#endif
                 NULL
             };
 #else