I spent an enormous time troubleshooting this as well. I found the Unraid documentation (VPN | Unraid Docs) to be helpful, but lacking in one key area. I did disable NAT in wireguard, enabled host access to custom networks in docker, and added a static route in my router, but I was left with access to only my LAN, and no access to the broader internet in wireguard's "Remote tunneled access" mode. I inspected my file at /boot/config/wireguard/wg0.conf and the PostUp and PostDown commands looked like this: ``` PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200 PostUp=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev br0 table 200 ``` I edited them to look like this (adding two lines and replacingbr0 with shim-br0 and it works great! shim-br0 is created when "host access to custom networks" in Docker is turned on. We need to tell wireguard to send outbound internet traffic through shim-br0 instead of br0. ``` PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services # Add these two lines PostUp = iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o shim-br0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o shim-br0 -j MASQUERADE PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200 PostUp=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev shim-br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev shim-br0 table 200 ``` Now my client connected via wireguard remote tunneled access can reach the internet!