NAT WireGuard -> LAN respecting last octet

Hello. I have a WireGuard Server in the office, conected to the LAN (several NAS and other devices).

The IP in the WG tunnel for client peers is, and devices in LAN has IP like

I'm using NAT rule with masquerading, so WireGuard peers are using router LAN interface IP to connecting with LAN devices.

My goal is to create a NAT rule that can respect the last octet when using LAN:

  • ->
  • ->
  • ->
  • 10.0.3.XYZ -> 192.168.100.XYZ

And doing this for all the WireGuard addresses in only one rule, not doing 1:1 for each client.

Is it possible?

Thank you.

What are you actually trying to achieve with this proposed setup? What devices are going to have NAT addresses?

I don't think you can do it with one rule. While the SNAT source IP can be a range, the rewritten source IP isn't.
Furthermore, if you applied directly a raw iptables rule, the SNAT addresses are used as a pool, so the allocation would be random.
It would be more sensible to apply directly the 192.168.100.X addresses on the WG interfaces to avoid all this.