linux

How to set up wireguard for LAN access?

At the moment I have several virtual servers. During the development process, I access them by external ip. To improve security, I decided to remove external ip where it does not make sense (database, local services ...), and organize access via VPN. I don’t understand networks, after the resection I decided to use wireguard. After a few days, I managed to do what was required, but I wanted to ask knowledgeable people if I had made security holes.

Plan: I raise wireguard on one of the servers with an external ip and access to the local network, clients (developers) get into the local network through it.

Server config

# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# vim /etc/wireguard/wg0.conf

[Interface]
Address = 10.20.0.1/24
ListenPort = 51820
PrivateKey = <server_pivatekey>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
AllowedIPs = 10.20.0.2/32
PublicKey = <client_publickey>

Client config

[Interface]
Address = 10.20.0.2/32
PrivateKey = <client_privatekey>

[Peer]
AllowedIPs = 10.7.158.156/13
Endpoint = <server_public_ip>:51820
PublicKey = <server_publickey>
PersistentKeepalive = 20

Explanations
The subnet 10.20.0/24 was taken from the ceiling.
About 10.7.158.156/13. Called ip a in the virtual machine . The eth0 interface had such a local ip specified. I decided that it should be used as a subnet for the client's AllowedIPs .
The most incomprehensible for me is the iptables setting that I specified in the server settings. Formed it by poking.

Thanks in advance!