WireGuard: no internet access through tunnel

Fix WireGuard when traffic routes through the tunnel but the client has no internet access due to missing NAT rules.

WireGuard: no internet access through tunnel
When WireGuard Produces This Error
What Causes No Internet Through WireGuard Tunnel
How to Fix No Internet Through WireGuard
How to Verify the Fix

WireGuard: no internet access through tunnel

WireGuard clients cannot access the internet when NAT masquerading is not configured on the VPN server.

When WireGuard Produces This Error

The WireGuard tunnel is established (handshake completes, wg show shows data transfer on the tunnel), but the client cannot reach external websites or services.

What Causes No Internet Through WireGuard Tunnel

The server is not performing NAT masquerading for traffic from the WireGuard subnet. Without masquerading, packets from the client (10.0.0.2) leave the server with a private source IP that internet routers cannot route back.

IP forwarding may also be disabled on the server, preventing packets from crossing between the wg0 interface and the public interface.

How to Fix No Internet Through WireGuard

Enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

Add masquerading rules (replace eth0 with the server's public interface):

sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Add these rules to PostUp/ PostDown in the server's wg0.conf to persist across tunnel restarts.

How to Verify the Fix

From the client, test internet access:

curl ifconfig.me

The response should show the server's public IP.