diff --git a/nixos/hosts/osaka-vultr-01/default.nix b/nixos/hosts/osaka-vultr-01/default.nix
index 68c3e653..d458e87a 100644
--- a/nixos/hosts/osaka-vultr-01/default.nix
+++ b/nixos/hosts/osaka-vultr-01/default.nix
@@ -45,8 +45,16 @@
         ips = [ "10.100.0.1/24" ];
         listenPort = 51820;
         privateKeyFile = "/run/secrets/wireguard_keys/osaka-vultr-01";
-        postSetup    = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
-        postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE'';
+        postSetup    = ''
+          ${pkgs.iptables}/bin/iptables -A FORWARD -i wireguard0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -A FORWARD -o wireguard0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -D FORWARD -i wireguard0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -D FORWARD -o wireguard0 -j ACCEPT
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eno3 -j MASQUERADE
+        '';
         peers = [
           { # nixos-rpi4-03
             publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
@@ -59,10 +67,6 @@
     };
   };
 
-  networking.firewall.extraCommands = "
-    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.100.0.2 -p tcp -m tcp --dport 80   -j MASQUERADE
-    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.100.0.2 -p tcp -m tcp --dport 443  -j MASQUERADE
-  ";
   networking.nat = {
     enable = true;
     internalInterfaces =  [ "wireguard0" ];