diff --git a/docs/docs/tfclient/img/firewall_main.png b/docs/docs/tfclient/img/firewall_main.png
new file mode 100644
index 0000000..193ced3
Binary files /dev/null and b/docs/docs/tfclient/img/firewall_main.png differ
diff --git a/docs/docs/tfclient/img/new_rule_1.png b/docs/docs/tfclient/img/new_rule_1.png
new file mode 100644
index 0000000..eee6c2e
Binary files /dev/null and b/docs/docs/tfclient/img/new_rule_1.png differ
diff --git a/docs/docs/tfclient/img/new_rule_2.png b/docs/docs/tfclient/img/new_rule_2.png
new file mode 100644
index 0000000..bf00bd9
Binary files /dev/null and b/docs/docs/tfclient/img/new_rule_2.png differ
diff --git a/docs/docs/tfclient/img/new_rule_3.png b/docs/docs/tfclient/img/new_rule_3.png
new file mode 100644
index 0000000..1d2590b
Binary files /dev/null and b/docs/docs/tfclient/img/new_rule_3.png differ
diff --git a/docs/docs/tfclient/troubleshooting.md b/docs/docs/tfclient/troubleshooting.md
new file mode 100644
index 0000000..6cd06e0
--- /dev/null
+++ b/docs/docs/tfclient/troubleshooting.md
@@ -0,0 +1,11 @@
+---
+sidebar_position: 3
+---
+
+# Troubleshooting
+
+This page lists common issues with tfclient and how to resolve them. This page will be updated occasionally as needed.
+
+## On Windows, traffic can leave but cannot enter
+
+This is [a known issue with Nebula](https://github.com/slackhq/nebula/issues/621), and by extension tfclient. [A workaround is available - see here for details.](/docs/tfclient/windows_firewall)
diff --git a/docs/docs/tfclient/windows_firewall.md b/docs/docs/tfclient/windows_firewall.md
new file mode 100644
index 0000000..10a3c10
--- /dev/null
+++ b/docs/docs/tfclient/windows_firewall.md
@@ -0,0 +1,45 @@
+---
+sidebar_position: 2
+---
+
+# Windows Firewall Setup
+
+:::info
+This is only needed on Windows-based platforms. On macOS and Linux, the firewall works correctly out-of-the-box.
+:::
+
+On Windows-based platforms, Nebula (and by extension tfclient) cannot properly configure Windows Defender Firewall automatically, thus preventing any inbound traffic from reaching your machine over your network (outbound traffic will still work). To fix this, you need to add a firewall rule to Windows Defender Firewall.
+
+It is recommended that you add a rule allowing **all inbound traffic from your network.** Nebula has a built-in firewall, thus it is preferred to allow the Nebula firewall to function as intended and leave Windows Defender Firewall essentially disabled for your VPN's subnet, allowing Nebula to function in it's place.
+
+## Adding the inbound rule
+
+1. Search for "Windows Defender Firewall with Advanced Security" and open it. This requires administrator privileges. You should see the window below.
+
+![Windows Defender Firewall Window](img/firewall_main.png)
+
+2. Select "Inbound Rules" on the left, and then click "New Rule" to open the New Inbound Rule Wizard. You should see the window below.
+
+![New Inbound Rule Wizard](img/new_rule_1.png)
+
+3. Select the Custom option, and click Next.
+4. Click the Next button for the Program step.
+5. Click the Next button for the Protocol and Port step.
+6. Select the "These IP addresses" checkbox under "Which remote IP addresses does this rule apply to?" as shown below.
+
+![These IP addresses radio](img/new_rule_2.png)
+
+7. Select the Add button next to "These IP addresses" to open the window shown below.
+
+![IP Address popup](img/new_rule_3.png)
+
+8. In the box under "This IP address or subnet" enter the CIDR notation of your network i.e. `10.16.0.0/15`. Ask your network administrator for this value if you do not know it.
+9. Click the "OK" button.
+10. Click the "Next" button.
+11. Under "What action should be taken when a connection matches the specified conditions?", select "Allow the connection", then click Next.
+12. Click "Next" on the Profile page.
+13. Enter a title for the rule. We recommend using something like `tfclient/nebula/YOUR_NETWORK_NAME/YOUR_NETWORK_CIDR`, such as `tfclient/nebula/corporate/10.16.0.0/15`.
+14. If desired, enter additional descriptions in the second text box.
+15. Select the "Finish" option.
+
+The changes should take effect immediately, and traffic should begin flowing 5-10 seconds after applying the rule (give Nebula time to perform handshakes and establish tunnels). If it does not take effect immediately, rebooting the affected machine typically resolves any issues.