diff --git a/vpnerator.sh b/vpnerator.sh
index 5407e44..25371ab 100755
--- a/vpnerator.sh
+++ b/vpnerator.sh
@@ -46,6 +46,13 @@ deps() {
 	return 0
 }
 
+enable_forwarding() {
+	if sysctl net.ipv4.ip_forward | grep -q 0 ; then
+		sudo sysctl -wq net.ipv4.ip_forward=1
+		touch /tmp/vpnerator-ipfwd
+	fi
+}
+
 remove_interface() {
 	exec_sudo iptables -D FORWARD -i \$1 -j ACCEPT
 	exec_sudo iptables -D FORWARD -o \$1 -j ACCEPT
@@ -54,10 +61,12 @@ remove_interface() {
 }
 
 cleanup() {
-	sudo sysctl -wq net.ipv4.ip_forward=0
+	if [ -f '/tmp/vpnerator-ipfwd' ] ; then
+		sudo sysctl -wq net.ipv4.ip_forward=0
+		rm /tmp/vpnerator-ipfwd
+	fi
 
 	EXIST_INTERFACE=\$(ip addr show to ${SERVER_ADDR} | head -1 | awk '{ print \$2 }' | cut -d':' -f1)
-
 	if [ ! -z "\${EXIST_INTERFACE}" ] ; then
 		if [ -z "\$(ip link show "\${EXIST_INTERFACE}" type wireguard)" ] ; then
 			# bail if the existing interface isn't of type wireguard
@@ -112,7 +121,7 @@ EOF
 exec_sudo wg setconf "${INTERFACE_NAME}" "\${TMP}"
 rm "\${TMP}"
 
-exec_sudo sysctl -wq net.ipv4.ip_forward=1
+enable_forwarding
 
 exec_sudo ip addr add "${SERVER_ADDR}" dev "${INTERFACE_NAME}"
 exec_sudo ip link set mtu 1420 up dev "${INTERFACE_NAME}"