diff --git a/wireguard_vps-to-internal_forwarding/wg0_server.conf b/wireguard_vps-to-internal_forwarding/wg0_server.conf
new file mode 100644
index 0000000000000000000000000000000000000000..0c2a62815136f6fac3b30592cb37646439cd4fc6
--- /dev/null
+++ b/wireguard_vps-to-internal_forwarding/wg0_server.conf
@@ -0,0 +1,36 @@
+#
+# Server (in the Wireguard context, exposed to the Internet)
+#
+
+[Interface]
+## My VPN server private IP address ##
+Address = 10.10.123.1/24
+
+## My VPN server port ##
+ListenPort = 12345
+
+## VPN server's private key i.e. /etc/wireguard/privatekey ##
+PrivateKey = <SERVER PRIVKEY>
+
+PostUp = iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+PostUp = iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+PostUp = iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+PostDown = iptables -D FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
+PostDown = iptables -D FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+PostDown = iptables -D FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+PostUp = iptables -i eth0 -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.123.2
+PostUp = iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 10.10.123.2 -j SNAT --to-source 10.10.123.1
+PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+PostDown = iptables -i eth0 -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.123.2
+PostDown = iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 80 -d 10.10.123.2 -j SNAT --to-source 10.10.123.1
+PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+
+[Peer]
+## Desktop/client VPN public key ##
+PublicKey = <CLIENT PUBKEY>
+
+## client VPN IP address (note  the /32 subnet) ##
+AllowedIPs = 10.10.123.2/32