A WireGuard server that routes traffic (full-tunnel, home-LAN, site-to-site) needs kernel IP forwarding on. Without it, NAT rules do nothing and clients connect but can’t reach anything.

1. Set it persistently

sudo tee /etc/sysctl.d/99-wireguard.conf >/dev/null <<'EOF'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF

2. Apply without rebooting

sudo sysctl --system

3. Confirm

sysctl net.ipv4.ip_forward
# -> net.ipv4.ip_forward = 1

One-off (until reboot)

If you just want to test before making it permanent:

sudo sysctl -w net.ipv4.ip_forward=1

It’s the silent prerequisite for the NAT/MASQUERADE rules and for site-to-site forwarding. If a full-tunnel client has a handshake and a correct AllowedIPs = 0.0.0.0/0 but still no internet, check this value first — it’s 0 by default on most distros.

Enable IP Forwarding for WireGuard (net.ipv4.ip_forward)

1. Set it persistently

2. Apply without rebooting

3. Confirm

One-off (until reboot)