Let's say we have the a Wireguard setup like in the below diagram (see imgur link, couldn't post image without reputation) with the following PostUp & PostDown:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
https://i.stack.imgur.com/nXEmF.png
Where clients can access our private network through Wireguard (the servers are not Wireguard clients but just have a second network interface which is connected to our private network. In this case if we look at the access logs in services running on our servers, we see that the client IP is the IP address of the Wireguard server (172.16.2.1). This is correct because MASQUERADE is used which replaces the source IP while forwarding. Our preferred outcome would be to see the client IPs in the services running on our servers (i.e. 172.16.2.2 or 172.16.2.3). Is there a manner to set the routing on the Wireguard server in such a way that the source IP is preserved when forwarding requests through Wireguard? So we could possibly block and allow clients based on their client IP in the servers themselves plus have access logs that are traceable to the specific clients?
P.S. I know how to configure the iptables in such a way that access control is arranged from there, but it is not the most preferred solution as there is no way to retrace who did what on the network.
