Port forwarding through Wireguard (script to be run on the server)

wireguard_port_forward.sh

#!/usr/bin/env bash

# Usage: ./wireguard_port_forward.sh <client IP> <server IP> <port>
# Example: ./wireguard_port_forward.sh 10.0.0.2 10.0.0.1 8080
# Script must be run as root

CLIENT=$1
SERVER=$2
PORT=$3

iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport "$PORT" -j DNAT --to-destination "$CLIENT"
iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport "$PORT" -d "$CLIENT" -j SNAT --to-source "$SERVER"
netfilter-persistent save