Console9

How to route all traffic through a WireGuard tunnel

Configure AllowedIPs and NAT masquerading to route all internet traffic through a WireGuard VPN tunnel.

How to route all traffic through a WireGuard tunnel

Configure AllowedIPs and NAT masquerading to route all internet traffic through a WireGuard VPN tunnel.

Prerequisites

  • A working WireGuard tunnel between client and server.
  • NAT/masquerading configured on the WireGuard server.

Step-by-Step: Route All Traffic Through WireGuard

  1. On the client, set AllowedIPs = 0.0.0.0/0, ::/0 in the [Peer] section of wg0.conf. This tells WireGuard to route all IPv4 and IPv6 traffic through the tunnel:

    [Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0

  2. On the server, verify masquerading is active. The PostUp rules in the server's wg0.conf must include NAT masquerading:

    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  3. Set the DNS server in the client's [Interface] section to prevent DNS leaks:

    [Interface]
DNS = 1.1.1.1, 1.0.0.1

  4. Restart the tunnel:

    sudo wg-quick down wg0 && sudo wg-quick up wg0

How to Verify All Traffic Routes Through the Tunnel

Check the public IP from the client — it should show the server's IP:

curl ifconfig.me
© 2026 - Console9