diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index c2a73f3e..9f59e33e 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -136,8 +136,6 @@
         value: 1
       - item: "{{ 'net.ipv6.conf.all.forwarding' if ipv6_support else none }}"
         value: 1
-      - item: net.ipv4.conf.all.route_localnet
-        value: 1
 
 - name: Install packages (batch optimization)
   include_tasks: packages.yml
diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml
index 92601905..e23d138b 100644
--- a/roles/strongswan/tasks/ubuntu.yml
+++ b/roles/strongswan/tasks/ubuntu.yml
@@ -9,6 +9,16 @@
     state: present
     persistent: present
 
+- name: Ubuntu | Enable route_localnet for IPsec traffic on main interface
+  sysctl:
+    name: "net.ipv4.conf.{{ ansible_default_ipv4['interface'] }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  when: ipsec_enabled
+  tags: always
+
 - name: Ubuntu | Install strongSwan (individual)
   apt:
     name: strongswan
diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml
index 4051d1e9..06829042 100644
--- a/roles/wireguard/tasks/ubuntu.yml
+++ b/roles/wireguard/tasks/ubuntu.yml
@@ -52,3 +52,12 @@
   notify:
     - daemon-reload
     - restart wireguard
+
+- name: Ubuntu | Enable route_localnet for WireGuard interface
+  sysctl:
+    name: "net.ipv4.conf.{{ wireguard_interface }}.route_localnet"
+    value: 1
+    sysctl_set: true
+    state: present
+    reload: true
+  tags: always