Configure wireguard VPN to only route network when an application is binded to its network interface

Question

I am connected to a VPS and need to route a specific application through a VPN. However, when I enable my VPN via WireGuard, my SSH connection to the VPS drops. By default, my VPN routes all traffic through itself, but I only want certain applications to use the VPN. My goal is to configure WireGuard so that only applications explicitly bound to the VPN's network interface (se-got-wg-001) will use the VPN, while others will continue using the default interface (eth0).

Below is my current WireGuard configuration:

[Interface]
PrivateKey = REDACTED
Address = 10.66.127.142/32,fc00:bbbb:bbbb:bb01::3:7f8d/128
DNS = REDACTED
[Peer]
PublicKey = REDACTED
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = REDACTED

I want these changes to persist after a reboot. What modifications should I make to ensure my system uses eth0 as the default interface, even when the VPN is enabled?

I’ve found some related posts that might help, but I’m still unclear about the steps I need to take:

• Wireguard Client With Two Interfaces - Use one Interface for Wireguard
• https://www.reddit.com/r/WireGuard/comments/npf4bp/new_to_wireguard_tips_for_routing_only_certain/
• https://serverfault.com/questions/1075973/wireguard-how-to-only-tunnel-some-of-the-traffic
• https://www.reddit.com/r/WireGuard/comments/vytuv5/is_it_possible_to_setup_wireguard_so_it_only/

Here is some information about my system:

root@vmixxx /e/wireguard# neofetch
            .-/+oossssoo+/-.               root@vmixxx.contaboserver.net 
        `:+ssssssssssssssssss+:`           --------------------------------- 
      -+ssssssssssssssssssyyssss+-         OS: Ubuntu 24.04.1 LTS x86_64 
    .ossssssssssssssssssdMMMNysssso.       Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-7.2) 
   /ssssssssssshdmmNNmmyNMMMMhssssss/      Kernel: 6.8.1-1009-realtime 
  +ssssssssshmydMMMMMMMNddddyssssssss+     Uptime: 2 hours, 45 mins 
 /sssssssshNMMMyhhyyyyhmNMMMNhssssssss/    Packages: 1813 (dpkg), 4 (snap) 
.ssssssssdMMMNhsssssssssshNMMMdssssssss.   Shell: fish 3.7.0 
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   Resolution: 800x600 
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   CPU: AMD EPYC 7282 (4) @ 2.794GHz 
ossyNMMMNyMMhsssssssssssssshmmmhssssssso   GPU: 00:02.0 Vendor 1234 Device 1111 
+sssshhhyNMMNyssssssssssssyNMMMysssssss+   Memory: 2630MiB / 5925MiB 
.ssssssssdMMMNhsssssssssshNMMMdssssssss.
 /sssssssshNMMMyhhyyyyhdNMMMNhssssssss/                            
  +sssssssssdmydMMMMMMMMddddyssssssss+                             
   /ssssssssssshdmNNNNmyNMMMMhssssss/
    .ossssssssssssssssssdMMMNysssso.
      -+sssssssssssssssssyyyssss+-
        `:+ssssssssssssssssss+:`
            .-/+oossssoo+/-.

Answer 1

WireGuard doesn't handle routing. wg-quick converts your AllowedIPs into routes, so if you have "AllowedIPs = 0.0.0.0/0", wg-quick will add a 0.0.0.0/0 route from that.

In your wg-quick configuration, specify Table= to have it install the routes into a different routing table instead of the main table. For example:

[Interface]
Table = 40

When the VPN is brought up, run ip [-4] [-6] route ls table 40 to verify that routes indeed get placed in that table.

Finally use ip -4 rule add from 10.66.127.142/32 lookup 40 to have the OS select that table for any packets originating from wg0's IPv4 address, and repeat the same with ip -6 rule for its IPv6 address (you can specify from fc00::/8 if it won't conflict with other interfaces, but it's better to match the whole /128).

Configure wg-quick's PostUp= to automatically add those policy-routing rules.