I am attempting to configure a VPS running Alpine Linux 3.18.4 to do a few things:

Accept incoming traffic on WireGuard interface wg0, from there:

  1. Allow peer-to-peer communication in the 10.7.2.0/24 subnet
  2. Provide a default route (Internet) through the WireGuard client on wg1 (NOT eth0)

So far WireGuard works on both interfaces. If I ip route add 1.1.1.1 dev wg0 I can ping -I wg1 1.1.1.1. For wg0 I can ping the server from the client.

The problem is setting up SNAT/NAT/routing. I’ve been banging my head against a wall trying to figure this stuff out, and everything I read online seems tailored to the “I just want WireGuard clients to use the VPS’ internet connection on eth0 directly” mentality. I’ve even been chatting in circles with ChatGPT and getting nowhere.

Below are my configuration files, but I’ll leave out routing tables, rules, etc. because at this point I’ll probably blow away the entire VPS and restore just the files I have here:

/etc/network/interfaces (just wg0, wg1):

auto wg0
iface wg0 inet static
    address 10.2.7.1/24
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.2.7.0/24 dev wg0
    post-up iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
    post-down ip link delete wg0
    post-down iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE

auto wg1
iface wg1 inet static
    address 172.30.66.233/32
    pre-up ip link add dev wg1 type wireguard
    pre-up wg setconf wg1 /etc/wireguard/wg1.conf
    post-down ip link delete wg1

iface wg1 inet6 static
    address fd00:4956:504e:ffff::ac1e:42e9/128
    pre-up ip -6 addr add fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1
    post-down ip -6 addr del fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1

I have Address commented out in the files below because Alpine Linux doesn’t like them.

/etc/wireguard/wg0.conf:

[Interface]
# Address = 10.2.7.1/24
ListenPort = 51820
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0,::0/0

/etc/wireguard/wg1.conf:

[Interface]
# Address = 172.30.X.X/32
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0
Endpoint = [REDACTED]:[REDACTED]