jcloude/press/playbooks/roles/wireguard/templates/wg.conf

[Interface]
Address = {{ wireguard_network }}
ListenPort = {{ wireguard_port }}
{% if wireguard_private_key == "False" %}
PrivateKey = {{ wg_private_key.stdout }}
{% else %}
PrivateKey = {{ wireguard_private_key }}
{% endif %}

PreUp = sysctl -w net.ipv4.ip_forward=1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ interface_id }} -j MASQUERADE
PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ interface_id }} -j MASQUERADE
PostDown = sysctl -w net.ipv4.ip_forward=0

{% if peers %}
{% for peer in (peers | from_json) %}
[Peer]
Endpoint = {{peer.peer_ip}}:{{wireguard_port}}
PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.allowed_ips}}
PersistentKeepalive = 25

{% endfor %}
{% endif %}