Wireguard server and openvpn client - Forward traffic from wg0 to tun0 (openvpn tunnel)
In short: The solution
Create a new routing table:
ip route add default via 192.168.1.5 dev eth0 table 7 ip rule add fwmark 0x55 priority 1000 table 7 ip route flush cache
Where 192.168.1.5 is the IP of your external interface (eth0). Now add this to your wg0.conf:
FwMark = 0x55
Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.
A longer explanation
When you start your OpenVPN tunnel, a new route is set into the main routing table.
This route might look like this:
0.0.0.0/1 via 10.8.8.1 dev tun0 and mean, that all your internet-traffic should be sent out through the tunnel.
This is great, but whenever you want to communicate with your routing machine over the unprotected interface, the answers of your machine would also be sent into the tunnel. That is why you can no longer reach your server over https, even if you had forwarded port 443 to it. It's answers would simply be sent into the tunnel and be lost.
Whith setting up a second routing table which can be viewed via
ip route show table 7 and the 0x55-rule we've basically told your machine to route every marked packet over the normal, unprotected eth0 interface. The rest will still be sent into the tunnel.
What else could be done?
I actually found the solution back then when I hadn't even heared of WireGuard. I wanted to connect to my home network via OpenVPN at the time and was unable to do that, when the server had it's tunnel up. However, my own OpenVPN-server was listening on Port 993 so I marked every packet with "0x55" that passed through that port:
sudo iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 993 -j MARK --set-mark 0x55
That made a VPN-connection to my VPN-connected server possible.
E-Mail Ports not protected
My VPN-provider does not allow sending mails through it's VPN because there had been SPAM problems. This rule would route the connection to my mail-accounts without passing them through the tunnel:
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x55
MAC-addresses without VPN
You might want a complete device being "unprotected". If you where using a swedish server and don't want to see swedish youtube ads on your tablet, you might want to do this:
iptables -t mangle -A PREROUTING -m mac --mac-source 4c:h7:9f:0l:17:k1 -j MARK --set-mark 0x55
you'd have to use your tablet's MAC address of course.