diff --git a/tasks/main.yml b/tasks/main.yml
index 655a2f0..a1b8e92 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,3 +11,10 @@
         - config
         - wireguard
         - vault
+- name: Enable forwarding in sysctl
+  loop:
+          - { name: "net.ipv4.ip_forward", value: "1" }
+  sysctl:
+        name: "{{ item.name }}"
+        value: "{{ item.value }}"
+        sysctl_set: yes
diff --git a/templates/wireguard.conf.j2 b/templates/wireguard.conf.j2
index f9312d0..dc30c1c 100644
--- a/templates/wireguard.conf.j2
+++ b/templates/wireguard.conf.j2
@@ -1,7 +1,7 @@
 [Interface]
 Address = {{ wireguard.net.v4.addr }}.1/{{ wireguard.net.v4.range.serv }}, {{ wireguard.net.v6.addr }}:1/{{ wireguard.net.v6.range.serv }}
-PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -o {{ wireguard.interface }} -j ACCEPT; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 ListenPort = {{ wireguard.port }}
 PrivateKey = {{ vault_wireguard.privkey }}