diff --git a/manifests/interface.pp b/manifests/interface.pp
index fd5367e..e7e667e 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -55,6 +55,10 @@
   require wireguard
 
   if $manage_firewall {
+    $daddr = empty($destination_addresses) ? {
+      true    => undef,
+      default => $destination_addresses,
+    }
     ferm::rule { "allow_wg_${interface}":
       action    => 'ACCEPT',
       chain     => 'INPUT',
@@ -62,7 +66,7 @@
       dport     => $dport,
       interface => $input_interface,
       saddr     => $source_addresses,
-      daddr     => $destination_addresses,
+      daddr     => $daddr,
       notify    => Service['systemd-networkd'],
     }
   }
diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb
index 3c7a0b4..a64d36f 100644
--- a/spec/defines/interface_spec.rb
+++ b/spec/defines/interface_spec.rb
@@ -96,6 +96,18 @@ class {"systemd":
         it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) }
         it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
       end
+      context 'with empty destintion_addresses' do
+        let :params do
+          {
+            public_key: 'blabla==',
+            endpoint: 'wireguard.example.com:1234',
+            manage_firewall: true,
+            destination_addresses: [],
+          }
+        end
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_ferm__rule("allow_wg_#{title}").without_daddr }
+      end
     end
   end
 end