Trying to route only IRC traffic through wireguard interface

[Andreas Hasenack]

Hi,

I'm traveling, and this ISP that I'm using "on the road" decided to
block port 6697/tcp. I thought about using my existing wireguard VPN
to also route this traffic through it.

The problem is that there isn't just one ip to pick to add to
AllowedIPs, it's several, and they change according to what DNS is
resolving at that particular time.

So I thought to use policy routing. Something like:

iptables -t mangle -A OUTPUT -p tcp --dport 6697 -j MARK --set-mark 1
echo "100 wireguard" > /etc/iproute2/rt_tables.d/wireguard.conf
ip rule add fwmark 1 table wireguard
ip route add default via 10.10.12.1 dev wg0 table wireguard source 10.10.12.11

tcpdump shows this working on the local box, i.e., I see an outbound
connection to the IRC server on the wireguard interface, but it never
arrives anywyere. tcpdump on the other side of the wireguard tunnel
shows zero traffic. I suspect wireguard locally is blocking it,
because that IP is not in AllowedIPs, but I can't confirm because this
box has secure boot and I can't enable debugfs to check the wireguard
messages.

If that's the case, is the only solution to really add all IPs of this
IRC server to AllowedIPs, dynamically even perhaps? I know I could
just route everything through wireguard, but now my interest is spiked
by this particular case, and I wanted to be able to use policy
routing.