diff --git a/files/nspawn-nat.service b/files/nspawn-nat.service
new file mode 100644
index 0000000000000000000000000000000000000000..df2058ca6ebe27cd40ef694415e62f6f683ed2c4
--- /dev/null
+++ b/files/nspawn-nat.service
@@ -0,0 +1,15 @@
+[Unit]
+Description="Enable NAT on nspawn bridge due to Debian bug #787480."
+Requires=systemd-networkd
+After=systemd-networkd
+After=ufw
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=network="192.168.123.0/24"
+ExecStart=/sbin/iptables -w -t nat -A POSTROUTING -s "$network" ! -d "$network" -j MASQUERADE
+ExecStop=/sbin/iptables -w -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+
+[Install]
+WantedBy=network.target
diff --git a/tasks/main.yml b/tasks/main.yml
index 0c0efa721a7e69186d16f54a574e90ae54b6082b..b4ef326390b17b5e594f06a2563c405c44514f28 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -44,6 +44,14 @@
     group: root
     mode: '0644'
 
+- name: Add NAT workaround for Debian bug #787480
+  copy:
+    src: nspawn-nat.service
+    dest: /etc/systemd/system/nspawn-nat.service
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Disable networking service, enable systemd-networkd
   with_items:
   - name: systemd-resolved