How do I configure a Wireguard Interface to connect to a remote peer through a specific network interface?

Question

Suppose I have two servers, gateway which is publicly visible to the internet and appserver which is hidden behind a nat/firewall. Also suppose that each of these two servers has two interfaces connected to entirely separate internet uplinks (see diagram bellow).

I want to set up two independent Wireguard tunnels between the two servers with the goal of keeping the servers connected if one of them fails:

                   |     Internet     |        
[ gateway ]        |                  |        [appserver]
                   |                  | 
   (wg0) <-----> (ens1) < - - - - > (ens1) <----> (wg0)
                   |                  | 
                   |                  | 
                   |                  |        
   (wg1) <-----> (ens2) < - - - - > (ens2) <----> (wg1)
                   |                  | 
                   |                  | 

By default, Wireguard seems to route all traffic through the system's default gateway. So when appserver attempts to connect to gateway, it only uses one of the two interfaces:

                   |     Internet     |        
[ gateway ]        |                  |        [appserver]
                   |                  | 
   (wg0) <--+--> (ens1) < - - - - > (ens1) <--+--> (wg0)
            |      |                  |       |
            |      |                  |       |
            |      |                  |       | 
   (wg1) <--+    (ens2)      X      (ens2)    +--> (wg1)
                   |                  | 
                   |                  |

Since some network tools allow setting a specific network interface to use when sending network traffic, can Wireguard also do the same thing? That is, only send traffic over ens1 or ens2 regardless of default route metrics? If not, how can I set up Linux's networking systems to do this instead?

Answer 1

I wasn't able to find a way to make wireguard itself connect through a specific interface, so I eventually settled on simply routing traffic destined to ens2 by adding a new route to appserver's routing tables:

ip route add $GATEWAY_ESN2_ADDR/32 via $APPSERVER_ESN2_ADDR_GW metric 50

APPSERVER_ESN2_ADDR_GW is the adddress of appserver's gateway router.

While researching this, I noticed that wireguard allows you to set a fwmark on outgoing traffic belonging a specific wireguard interface by setting the FwMark field under [Interface]. Wireguard does not support setting this mark on a per-peer basis as of the time of this writing (2021-09).

I'll be leaving this question open in case someone discovers a true answer to this question.