A script for the Wireguard config options PostUp/PostDown entries. It will allow peers to connect to the Wireguard interface and do IP forwarding (port forwarding will be added later)

README.md

IfScript

Hi, I made this for my use-case, but feel free to use it :)
This is currently only handling the NAT side of things, not PAT!
The from-to port options is just a placeholder it will use the first port specified.

route_port 80 80 tcp $vpn_ip $server_ip

How to use?

Download and make executable

$ wget https://gist.githubusercontent.com/Sherex/78f6d8d8ed4223f8995d1d01f790a11b/raw/c0a87d74ed412e9934bab1e1cfde3aee5957bff7/ifscript.sh -O /etc/wireguard/ifscript.sh

$ chmod +x /etc/wireguard/ifscript.sh

Edit ifscript.sh to suit your needs, I recommend double checking these variables at the top of the file:

Variable	Example value	Description
int_interface	"eth0"	Make sure this matches the interface, packets should be directed from! (common interfaces are "eth0" and "ens18")
vpn_ip	"10.50.0.1"	This should be the IP your server the packets will be sent from after the forward
server_ip	"10.50.0.249"	This should be the IP the server that should receive the packets

Note: This can easily be configured to route traffic out from the wg0 interface and to a server on the same network. Just set vpn_ip to the IP of the interface on the local network and server_ip to the server that should receive the packets.
And swap the values of the variables int_interface and interface

Change the lines in your /etc/wireguard/wg0.conf to:

...
PostUp = /etc/wireguard/ifscript.sh up %i
PostDown = /etc/wireguard/ifscript.sh down %i
...

Enable IP forwarding

Temporary (until next reboot)

Run this:

$ sysctl -w net.ipv4.ip_forward=1

Permanent

And last, but just as important, in the file /etc/sysctl.conf uncomment the line

net.ipv4.ip_forward = 1

Then run this to reload sysctl configuration:

$ sysctl -p

My use-case

As I don't have access to the external facing router on my network ( Renting is fun :) ), I set this up.

A VPS routes traffic from specified ports (80 and 443) to a local VM behind NAT.
Then that VM routes the traffic to another VM on it's local network.

Internet -> VPS [wireguard tunnel -> network-VM] --> docker-VM

ifscript.sh

#!/bin/bash

action=$1
interface=$2
int_interface="eth0"
vpn_ip="10.50.0.1"
server_ip="10.50.0.249"

[[ "$action" = "up" ]] && action_arg="A" || action_arg="D"

log () {
  [[ "$action" = "up" ]] && local cmd_action="Enabling" || local cmd_action="Disabling"
  echo "[ifscript.sh] $cmd_action $@"
}

route_port () {
  local from_port=$1
  local to_port=$2
  local protocol=$3
  local src_ip=$4
  local dest_ip=$5

  log "routes from $src_ip:$from_port/$protocol to $dest_ip:$from_port/$protocol through vpn"
  iptables -P FORWARD DROP
  iptables -$action_arg FORWARD -i $int_interface -o $interface -p $protocol -m state --state NEW --dport $from_port -m conntrack --ctstate NEW -j ACCEPT

  iptables -t nat -$action_arg PREROUTING -i $int_interface -p $protocol --dport $from_port -j DNAT --to-destination $dest_ip
  iptables -t nat -$action_arg POSTROUTING -o $interface -p $protocol --dport $from_port -d $dest_ip -j SNAT --to-source $src_ip
}

log "iptables rules for ${interface}"

# Allow peers to connect to the wireguard interface
iptables -$action_arg FORWARD -i $interface -j ACCEPT
iptables -t nat -$action_arg POSTROUTING -o $int_interface -j MASQUERADE

# Route "ESTABLISHED,RELATED" traffic to and from the vpn tunnel
iptables -$action_arg FORWARD -i $int_interface -o $interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -$action_arg FORWARD -i $interface -o $int_interface -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

route_port 80 80 tcp $vpn_ip $server_ip
route_port 443 443 tcp $vpn_ip $server_ip