It could be helpful to know on what OS do you install the server. Debian is behaving a little different than ubuntu. I would say ubuntu is easier to start, but Debian is much clearer to analyse.
It even works virtualized as LXC, just mount the /dev/net/tun from the host in the container.
I found my error. Okay, some errors. Here is the actual working Configuration:
root@walter01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:51820
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.7.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@walter01:~# ip r
default via 192.168.21.1 dev eth0 onlink
10.7.0.0/24 dev wg0 proto kernel scope link src 10.7.0.1
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.51
192.168.21.0/24 is my home net
192.168.21.51 is my WireGuard ‘Server’
The server configuration
root@walter01:~# cat /etc/wireguard/wg0.conf
# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT vpn.mydomain.net
[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = UGHxxxxx
ListenPort = 51820
# BEGIN_PEER amy
[Peer]
PublicKey = hI8xxxxx
PresharedKey = Ew7xxxxx
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER amy
The client configuration
root@walter01:~# cat amy.conf
[Interface]
Address = 10.7.0.2/24, fddd:2c4:2c4:2c4::2/64
DNS = 192.168.21.53
PrivateKey = 4P8xxxxxx
[Peer]
PublicKey = UlExxxxxx
PresharedKey = Ew7xxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.mydomain.net:51820
PersistentKeepalive = 25
192.168.21.53 is my own DNS (PiHole).
As far as I understand, the AllowedIPs = 0.0.0.0/0 will send all traffic over the tunnel. So I don’t need to specify my network.
If you’d like to have the normal traffic over the normal net and only your site, you can specify a host or net, here.
Now I will rewrite the iptbales rules to nftables …