Route between two network interfaces (one with VPN, the other one served DHCP addresses)

Question

I tried to find an answer to my question, but I've not found anything...If this has been asked and answered I'll be happy with a pointer.

I have a server running Ubuntu 23.10 with two network interfaces: enp2s0 and enp3s0.

enp3s0 is connected to an internet router, gets an address from DHCP (is always served the same one, 192.168.127.10) and then establishes a Wireguard VPN to another site (and the Wireguard address is 10.83.53.24 with 255.255.255.0). The VPN works great and I can reach everything I want to reach through it from the server.

enp2s0 has a static IP address assigned (192.168.125.1) and is connected to a local LAN. I installed Kea DHCP and I serve IP addresses to the machines on the local LAN. This works great.

I would like all the machines on the 192.168.125.0 subnet to use the Ubuntu server (192.168.125.1 on enp2s0) as a router to everywhere outside the subnet (and I configured Kea to establish it as a router, and the clients that connect are getting the right configuration.

I uncommented "net.ipv4.ip_forward=1" from /etc/sysctl.conf

I then entered the following commands:

sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
sudo iptables -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o enp2s0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This did not work.

When I look at my routing tables, though, they seem like they should work:

ip route show
default via 192.168.127.1 dev enp3s0 proto dhcp src 192.168.127.10 metric 101 
default via 192.168.127.1 dev enp2s0 proto static metric 20100 
10.83.53.0/24 dev main proto kernel scope link src 10.83.53.24 metric 50 
169.254.0.0/16 dev enp2s0 scope link metric 1000 
192.168.125.0/24 dev enp2s0 proto kernel scope link src 192.168.125.1 metric 100 
192.168.127.0/24 dev enp3s0 proto kernel scope link src 192.168.127.10 metric 101 
192.168.127.1 dev enp2s0 proto static scope link metric 20100

I can SSH to the server from a client on the 192.168.125 subnet, but I can't go beyond it.

I am stumped. I would love any suggestions.

Thank you in advance.