Wireguard server and openvpn client - Forward traffic from wg0 to tun0 (openvpn tunnel)

In short: The solution

Create a new routing table:

ip route add default via dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache

Where is the IP of your external interface (eth0). Now add this to your wg0.conf:

FwMark = 0x55

Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.

A longer explanation

When you start your OpenVPN tunnel, a new route is set into the main routing table. This route might look like this: via dev tun0 and mean, that all your internet-traffic should be sent out through the tunnel.

This is great, but whenever you want to communicate with your routing machine over the unprotected interface, the answers of your machine would also be sent into the tunnel. That is why you can no longer reach your server over https, even if you had forwarded port 443 to it. It's answers would simply be sent into the tunnel and be lost.

Whith setting up a second routing table which can be viewed via ip route show table 7 and the 0x55-rule we've basically told your machine to route every marked packet over the normal, unprotected eth0 interface. The rest will still be sent into the tunnel.

What else could be done?


I actually found the solution back then when I hadn't even heared of WireGuard. I wanted to connect to my home network via OpenVPN at the time and was unable to do that, when the server had it's tunnel up. However, my own OpenVPN-server was listening on Port 993 so I marked every packet with "0x55" that passed through that port:

sudo iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 993 -j MARK --set-mark 0x55

That made a VPN-connection to my VPN-connected server possible.

E-Mail Ports not protected

My VPN-provider does not allow sending mails through it's VPN because there had been SPAM problems. This rule would route the connection to my mail-accounts without passing them through the tunnel:

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x55

MAC-addresses without VPN

You might want a complete device being "unprotected". If you where using a swedish server and don't want to see swedish youtube ads on your tablet, you might want to do this:

iptables -t mangle -A PREROUTING -m mac --mac-source 4c:h7:9f:0l:17:k1 -j MARK --set-mark 0x55

you'd have to use your tablet's MAC address of course.