Best way to make Yunohost and Wireguard exist together

I have setup a Yunohost server which also runs Wireguard. I want to provide VPN service to my friends but I don’t want to enable peer-to-peer connection between VPN clients. So what would be the better way to set things up so that Yunohost and Wireguard can exist together?

a) Disable IP forwarding, enable packet forwarding between eth0 and wg0 with iptables:

net.ipv4.ip_forward = 0
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

b) Keep IP forwarding on (as it is out of the box), disable packet forwarding from wg0 to wg0 with iptables:

net.ipv4.ip_forward = 1
iptables -A FORWARD -i wg0 -o wg0 -j REJECT

Which would be the more efficient and safer way of doing it? I’m also open to different ideas other than these two.

1 Like