Excluding fwmark(ed) Packets from Wireguard Tunnel

Question

In the scenario described here, I ended up with this config in the client (the endpoint WG server has two public IPs)

[Interface]
Address = <ip_to_use>/32
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
AllowedIPs = 0.0.0.0/0
Endpoint = <wg_server_ip>:51820
PersistentKeepalive = 10

Now I would like to exclude from the Wireguard tunnel either all processes from an user or all packets (to and from) certain ports.

It has been brought to my attention that this can be done using the fwmark set by WG itself, and I don't need to use another mark, as suggested here.

This is IPtables 1.6 on Ubuntu 16.04. How can I exclude from the WG tunnel, using the mark created by wg-quick, either per user or per port?

Answer 1

The solution I found was to upgrade to Ubuntu 18.04.1, which enabled the following new feature to handle the problem in one line:

PostUp = ip rule add uidrange 0-0 lookup main
PostDown = ip rule del uidrange 0-0 lookup main

Running 16.04.5 with kernel 4.15 didn't allow for uidrange. Using uidrange also requires iproute2 to be of a higher version than provided by the Xenial repo. Iptables 1.6.1 alone is not enough.