diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index e700cb6373674905425f0eea07954ca23b98a53f..1265722eeedd81f765bcacf8f6182f1a88d8434e 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -53,7 +53,7 @@ scrape_configs:
   - job_name: 'node_exporter'
     static_configs:
       {% for host in groups['all'] %}
-      - targets: ['{{ host }}:{{ prometheus_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_exporter_port }}']
         labels:
           instance: "{{ host }}"
       {% endfor %}
@@ -83,7 +83,7 @@ scrape_configs:
   - job_name: 'gitlab_runner_exporter'
     static_configs:
       {% for host in groups['gitlab_runners'] %}
-      - targets: ['{{ host }}:{{ gitlab_runner_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ gitlab_runner_exporter_port }}']
         labels:
           instance: "{{ host }}"
       {% endfor %}
@@ -112,7 +112,7 @@ scrape_configs:
   - job_name: 'mysqld_exporter'
     static_configs:
       {% for host in groups['mysql_servers'] %}
-      - targets: ['{{ host }}:{{ prometheus_mysqld_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_mysqld_exporter_port }}']
         labels:
           instance: "{{ host }}"
       {% endfor %}
@@ -120,7 +120,7 @@ scrape_configs:
   - job_name: 'memcached_exporter'
     static_configs:
       {% for host in groups['memcached'] %}
-      - targets: ['{{ host }}:{{ prometheus_memcached_exporter_port }}']
+      - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_memcached_exporter_port }}']
         labels:
           instance: "{{ host }}"
       {% endfor %}
diff --git a/roles/prometheus_exporters/tasks/main.yml b/roles/prometheus_exporters/tasks/main.yml
index 69e62e62c479ff27f64e0d4652d172df88dcf295..185e9c922dba293cd1327defc017a043a69217fd 100644
--- a/roles/prometheus_exporters/tasks/main.yml
+++ b/roles/prometheus_exporters/tasks/main.yml
@@ -221,21 +221,21 @@
   when: "'memcached' in group_names"
 
 - name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
   when: "'prometheus' not in group_names"
 
 - name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
   when: "'gitlab_runners' in group_names"
 
 - name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
   when: "'mysql_servers' in group_names"
 
 - name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
-  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
-        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+        rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
   when: "'memcached' in group_names"