Stabilize Netclient Connections Behind NAT

Enable IP forwarding at the kernel level

By default, most systems have forwarding turned off. To turn port forwarding on permanently, edit the /etc/sysctl.conf file with sudo privileges:

sudo nano /etc/sysctl.conf

Inside the file, add this line at the bottom:

net.ipv4.ip_forward=1

Save and close the file.

Apply sysctl settings

Apply the settings you added:

sudo sysctl -p

Then load the system-wide settings:

sudo sysctl --system

Identify WAN and LAN interfaces

Find the WAN and LAN interfaces on the machine using:

ip a

(Example image)

Add DNAT rule to forward incoming traffic

Use the -j DNAT target of the PREROUTING chain in the nat table to forward incoming packets to the internal IP and port. Replace {PUBLIC_IP} and {INTERNAL_IP} with your values:

iptables -t nat -A PREROUTING -i eth0 -p udp -d {PUBLIC_IP} --dport 55555 -j DNAT --to {INTERNAL_IP}:55555

Configure IP masquerading (SNAT)

Allow LAN nodes with private IP addresses to communicate with external public networks by masquerading outbound traffic on the external interface (e.g., eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Result

Now the port forwarding rule for UDP port 55555 is set on the Linux machine and can be used for WireGuard/Netclient connections.