I have a remote VPS that acts as a wireguard server (keys omitted):

[Interface]
Address = 10.0.0.2/24
[Peer] # self host server
AllowedIPs = 10.0.0.1/32

(The VPS is configured to be a router from the wg0 to it’s WAN via nft masquerading)

And i have another server, my self-host server, which connects to the VPS trough wireguard because it uses wireguard tunnel as a port-forwarder with some nft glue on the VPS side to “port forward” my 443 port:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24

(omitted the nft glue)

My self-hosted server default route goes trough my home ISP and that must remain the case.

Now, on the self-host server i have one specific user that i need to route trough the wireguard tunnel for it’s outgoing traffic, because i need to make sure it’s traffic seems to originate from the VPS.

The way i usually handle this is with a couple of nft commands to create a user-specific routing table and assign a different default route to it (uid=1070):

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 192.168.0.1 dev eno1 table 1070

(this is the case, and works, to use eno1 as default gateway for user 1070. Traceroute 8.8.8.8 will show user 1070 going trough eno1, while any other user going trough the default gateway)

If i try the same using the wg0 interface, it doesn’t work.

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070

This doesnt work, wireguard refuses to allow packets trough with an error like:

ping 8.8.8.8
From 10.0.0.1 icmp_seq=3 Destination Host Unreachable                                            
ping: sendmsg: Required key not available 

I tried to change my self-host server AllowedIps like this:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0

and it works! User 1070 can route trough wireguard. BUT… now this works just too much… because all my self-host server traffic goes trough the wg0, which is not what i want.

So i tried to disable the WireGuard messing with routing tables:

[Interface]
Address = 10.0.0.1/24
Table = off
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0

and manually added the routes for user 1070 like above (repeat for clarity):

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070

The default route now doesnt get replaced, but now, without any error, the packers for user 1070 just don’t get routed. ping 8.8.8.8 for user 1070 just hangs

I am at a loss… Any suggestions?

(edits for clarity and a few small errors)