Access to existing services on host, Wireguard for new outbound connections

Paul Chambers bod at
Mon Dec 17 05:25:26 CET 2018

Sorry if this has been asked and answered - List archives and Googling
have turned up all kinds of semi-related information, but frankly,
taken en masse it's more confusing than helpful.

I have a VPS running services that I continue to need to access (ssh,
zabbix agent, etc.) while any new outbound connections originating on
that host should go out over the wireguard VPN interface.

In other words, established/related traffic to inbound connections to
the public IP of the host should go back out the interface it arrived
on (not the default route), while new outbound connections originating
on the host should follow the default route (i.e. exit via the
wireguard interface)

My experiments are complicated by not being able to SSH into the VPS
when wg-quick switches the default route, kind of a circular
problem... I'm resorting to writing scripts that bring up the VPN, try
something, then log information into files, then bring down the VPN
connection again. Pretty tedious.

One idea I haven't tried yet is if I use an iptables match for
'related,established' traffic in the outbound table to set a fwmark,
and use an 'ip route' rule to use that fwmark to switch to a table
that's a copy of the routes/default route before wg-quick changed the

I've seen examples that use an 'ip rule' to set a fwmark on outbound
traffic originating from the public wan interface, and 'ip route'
rules to switch to another table for that traffic, which contains a
copy of the ip routes before the default route was switched. But that
technique doesn't seem to be working for me, and given the debugging
challenges, I'm having a hard time figuring out why.

Doesn't seem like a strange thing to want to do; any advice would be
much appreciated.

- Paul

More information about the WireGuard mailing list