Rocky 9 wireguard masquerade traffic to internet not working

Installed the wireguard, access to local resources works well, but traffic masquerading cannot be started and internet access is not opened. The instructions from the red hat do not contain a description of the steps on how to open internet access for clients connected via wireguard, and setting up in the old way for previous versions does not work. SELINUX=disabled Maybe someone understands how to solve this problem?

#wg0.conf on server
[Interface]
Address    = 10.10.0.1/24
ListenPort = 51820
PrivateKey = ACvFwT2hwYQJi4oI1f1cMgJyH8fFtmQ3j4QV1sjqcm0=   

[Peer]
PublicKey =  RvQSExSi6KUzxqFXjfCWNkH1uLRw96OMF/F/OY74Qys=
AllowedIPs = 10.10.0.2

#run wireguard and open port
systemctl enable --now wg-quick@wg0
firewall-cmd --permanent --zone=public --add-port=51820/udp
firewall-cmd --permanent --change-zone=wg0 --zone=work
firewall-cmd --permanent --zone=public --add-masquerade
firewall-cmd --reload

#on client config
[Interface]
PrivateKey = iMkLdAEgXm4SQebjhcd/h7qE4Gu0glm25Uug6BjIrnc=
Address = 10.10.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = 0Uryjm4u1VdJ4ggVabPx+YyiMJG5xnBdvGlbE1ZvqHc=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = serverIp:51820
PersistentKeepalive = 20

#In the previous version rocky 8, this was enough to make internet access work when connected to the wireguard. 

sudo vi /etc/sysctl.conf
net.ipv4.ip_forward=1
firewall-cmd --permanent --zone=public --add-masquerade

Looking at your configuration, I think your problem is that you put wg0 on the “work” firewall zone.
Try to remove the wg0 from that zone.
I was having the same problem and after removing the wireguard interface from the firewall zone, the clients were able to connect to the internet.

Thanks for the answer. I’ve tried different ways to set up the firewall, including without a work zone, but with no success. I have a strong feeling that until 9.1 is released, it makes no sense to use the rocky 9 I had problems in many places.