root@prod-vm:~# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 3e:1e:9c:ec:84:98 brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    altname ens18
    inet 10.68.0.80/16 brd 10.68.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.68.1.65/16 brd 10.68.255.255 scope global secondary dynamic ens18
       valid_lft 76031sec preferred_lft 76031sec
    inet6 fe80::3c1e:9cff:feec:8498/64 scope link 
       valid_lft forever preferred_lft forever

root@prod-vm:~# cat /etc/network/interfaces.d/50-cloud-init 
# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
auto lo
iface lo inet loopback
    dns-nameservers 192.168.1.3 1.1.1.1
    dns-search local.arpa

auto eth0
iface eth0 inet static
    address 10.68.0.80/16
    gateway 10.68.254.254

root@prod-vm:~# cat /run/network/interfaces.d/ens18 
auto ens18
allow-hotplug ens18

iface ens18 inet dhcp

curl -v https://rutracker.org
*   Trying 195.82.146.214:443...
* Connected to rutracker.org (195.82.146.214) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to rutracker.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to rutracker.org:443

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380

[Interface]
Address = 10.100.100.10/24
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ListenPort = 51820
PrivateKey = 


[Peer]
PublicKey = 
AllowedIPs = 10.100.100.19/32, 10.66.1.254/24

[Interface]
Address = 10.100.100.19/24
PrivateKey = 
DNS = 1.1.1.1, 1.0.0.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = 
Endpoint = :51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25