I've been attempting to set up WireGuard as a VPN gateway manually instead of using wg-quick, as I don't want to route the local machine's traffic over the tunnel, only a specific interface and subnet's traffic. I've created a VLAN interface with an IP which is served as the default gateway through DHCP, and set up NAT and routing with iptables.

I use the below command sequence to perform this setup:

ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add w.x.y.z/32 dev wg0
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -A FORWARD -i eth0.30 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0.30 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -j DROP
ip link set up dev wg0

I'm connecting to the endpoint on UDP 2049 and have the listen port randomly chosen. The interface is configured and brought up successfully, however it seems no handshake ever occurs. Running a tcpdump doesn't even show any traffic across the main interface to indicate a handshake is occurring. Here's my scrubbed config:

PrivateKey = myprivkey

PublicKey = theirpubkey
AllowedIPs =
Endpoint = w.x.y.z:2049

Here's the output of wg:

interface: wg0
  public key: mypubkey
  private key: (hidden)
  listening port: 36236 (random)

peer: theirpubkey
  endpoint: w.x.y.z:2049
  allowed ips:

Is there anything I can do to figure out or debug what's happening besides packet capture? If I run wg-quick up wg0, the handshake actually occurs! If I then assign the IP address manually, I can send and receive data across the tunnel. My command sequence to set the interface up is actually derived from the commands wg-quick executes so I'm very confused as to why one works and not the other when they're essentially the same thing. Would someone be able to point me in the right direction?


I ended up adding Table = off to the WireGuard configuration file to stop it from modifying routes automatically, and brought the interface up with wg-quick. Then, I used ip rule to add policy-based routing to push only traffic from eth0.30 across the tunnel, followed by NAT and traffic forwarding with iptables. Here's how I achieved this from start to finish (I added the command sequence to the PostUp and PostDown sections of the WireGuard config):

#!/usr/bin/env sh

wg-quick up wg0
ip route add default wg0 table 1
ip rule add dev eth0.30 lookup 1
ip rule add from lookup main  # exception for DNS nameserver so queries can return
ip rule add lookup main suppress_prefixlength 0
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -A FORWARD -i eth0.30 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0.30 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Undoing the changes is very similar:

#!/usr/bin/env sh

wg-quick down wg0
ip rule delete dev eth0.30 lookup 1
ip rule delete from lookup main
ip rule delete lookup main suppress_prefixlength 0
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
iptables -D FORWARD -i eth0.30 -o wg0 -j ACCEPT
iptables -D FORWARD -i wg0 -o eth0.30 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

All the commands must be on a single line separated by semicolons in order to fit in the PostUp and PostDown sections of the WireGuard config, and although the file itself looks unsightly, it's by far the cleanest way to do it all. I hope this helps someone who comes across this dead thread lol

  • You need to set AllowedIPs= to the actual networks you want to route, not That is why it set the default gateway. – Michael Hampton Mar 14 '21 at 22:28
  • I did not fully understand what you meant but I changed the AllowedIPs to the subnet range of the interface which I want to forward packets over, however this just ensured I could not access anything on my VPN provider's side. The client in this case is connecting to my VPN provider, who I want internet from, so it must be for the whole internet. Additionally, there is still no handshake without using wg-quick, so this creates more problems than it solved... – xBelladonna Mar 14 '21 at 23:18

