Make WireGuard route-sink the WG_routes

wireguard/wg0.conf.tmpl

@@ -2,8 +2,13 @@
 PrivateKey = ${wg_key}
 Address = ${wg_address}/${wg_prefix:-32}
 ListenPort = ${wg_port:-51820}
-PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;
+{{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}PostUp = ip -4 route add {{ . }} dev wg0
+{{ end }}{{ end }}
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
+{{ if len "${wg_routes:-}" }}{{ range "$wg_routes" | split "," }}PostDown = ip -4 route del {{ . }} dev wg0
+{{ end }}{{ end }}
+Table = off
 
 {{ range files "wireguard/peers" }} {{ if ne . "${tinc_peer_name}" }}
 [Peer]