A full tunnel sends all the client’s traffic out through the server (like a commercial VPN). The server must forward and NAT that traffic.
1. Enable IP forwarding (server)
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-wg.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-wg.conf
sudo sysctl --system
2. Server — /etc/wireguard/wg0.conf
Replace eth0 with the server’s real WAN interface (ip route show default to find it):
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
3. Client — /etc/wireguard/wg0.conf
The key line is AllowedIPs = 0.0.0.0/0, ::/0 (send everything through the tunnel):
[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT_PRIVATE_KEY
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
4. Bring up and verify
sudo wg-quick up wg0
curl ifconfig.me # should now show the SERVER's IP
DNS = 1.1.1.1 matters: without it, DNS queries can leak outside the tunnel (and wg-quick
needs resolvconf or systemd-resolved to apply it). If routing breaks, double-check the WAN
interface name in the PostUp rule — eth0 is just a placeholder.