cloud-basis/templates/etc/wireguard/wireguard-server.conf.j2

[Interface]
Address = {{ wireguard_gateway_net_prefix }}.1/{{ wireguard_gateway_net_cidr }}
ListenPort = {{ wireguard_gateway_port }}
PrivateKey = {{ wireguard_gateway_private_key }}

{% if wireguard_gateway_forward is defined and wireguard_gateway_forward | length > 0 %}
PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -w net.ipv6.conf.all.forwarding=1

{% for config in wireguard_gateway_forward %}
PreUp = iptables -t nat -A PREROUTING -i {{ wireguard_gateway_interface }} -p {{ config.protocol | default('tcp') }} --dport {{ config.server_port }} -j DNAT --to-destination {{ wireguard_gateway_net_prefix }}.{{ config.client_index }}:{{ config.client_port }}
PostDown = iptables -t nat -D PREROUTING -i {{ wireguard_gateway_interface }} -p {{ config.protocol | default('tcp') }} --dport {{ config.server_port }} -j DNAT --to-destination {{ wireguard_gateway_net_prefix }}.{{ config.client_index }}:{{ config.client_port }}

{% endfor %}
PreUp = iptables -t nat -A POSTROUTING -o {{ cloud_name }} -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o {{ cloud_name }} -j MASQUERADE
{% endif %}

{% for client in wireguard_clients %}
## Wireguard {{ cloud_name }} - {{ client }} ##
[Peer]
PublicKey = {{ wireguard_clients[client].public_key }}
AllowedIPs = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[client].index }}/32

{% endfor %}