I fucking love Wireguard. I love it. It’s awesome. I love it so much that I honestly don’t understand why tools like Tailscale or Headscale exist. I mean, I guess I understand if you want to modify instrumentation on the fly for whatever reason, but all the tunnels I’ve established have been pretty static. I’ve never needed something to basically wipe my ass for me with regards to Wireguard.

So, why do I think Wireguard gets passed over in favor of Tailscale or Headscale? I think it’s because people don’t realize that, while Wireguard does heavy lifting, it doesn’t wipe your fucking ass for you. In other words, it assumes nothing about what you’re trying to do with it. What does that entail?

It means that writing a simple wg0.conf is not the only thing you need to do if you plan on creating your own VPN endpoint. There are two things that need to be done before you can use your Wireguard node as a VPN endpoint. First, you have to tell your kernel that is what you intend to do.

sudo nano /etc/sysctl.conf

Then you need to add this:

net.ipv4.ip_forward = 1

Then you’ll have to open your wg0.conf or whatever you named it and add this after [Interfaces] but before [Peer]:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0  -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The above sets up nat masquerading in iptables to round out the “VPN endpoint” configuration.

There you have it. The rest is pretty straightforward, and honestly if you can’t figure the rest out you’re kinda useless for networking anyways. The other stuff is super fucking easy to configure, and it just works right out of the box if you don’t set up routing/masquerading.