A WireGuard server that routes traffic (full-tunnel, home-LAN, site-to-site) needs kernel IP forwarding on. Without it, NAT rules do nothing and clients connect but can’t reach anything.
1. Set it persistently
sudo tee /etc/sysctl.d/99-wireguard.conf >/dev/null <<'EOF'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF
2. Apply without rebooting
sudo sysctl --system
3. Confirm
sysctl net.ipv4.ip_forward
# -> net.ipv4.ip_forward = 1
One-off (until reboot)
If you just want to test before making it permanent:
sudo sysctl -w net.ipv4.ip_forward=1
It’s the silent prerequisite for the NAT/MASQUERADE rules and for site-to-site forwarding. If a
full-tunnel client has a handshake and a correct AllowedIPs = 0.0.0.0/0 but still no internet,
check this value first — it’s 0 by default on most distros.