Two Wireguard interfaces on 1 server

wg0.conf: External interface (10.7.10.0/24)

wg1.conf: Internal (clients) interface (10.7.1.0/24)

We want to route all trafic from server, and from wg1 to wg0

Add to wg0.conf

PostUp = ip rule add from Your.Server.External.IP table main PreDown = ip rule del from Your.Server.External.IP table main

To wg1.conf [interface block]

FwMark = 51820

If we want to disable kill-switch on server side and route only traffic from wg1 to wg0 then we should create seperate table in wg0.conf (out interface!)

Trafic from server will go via default ISP gateway but traffic from WG will route through other WG. That will be enough and you shouldn’t do any FWmark and postup rules behind.

Table = off PostUp = ip rule add iif wg1 lookup 80 PostUp = ip route add default dev wg0 table 80 PreDown = ip rule del iif wg1 lookup 80 PreDown = ip route del default dev wg0 table 80

On external vps don’t forget about iptables

/etc/systemd/system/wg-iptables.service

[Unit] Before=network.target [Service] Type=oneshot ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j MASQUERADE ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.1.0/24 ! -d 10.7.1.0/24 -j MASQUERADE ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.10.0/24 ! -d 10.7.10.0/24 -j MASQUERADE ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 51820 -j ACCEPT ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 49666 -j ACCEPT ExecStart=/usr/sbin/iptables -A INPUT -p udp --dport 49667 -j ACCEPT ExecStart=/usr/sbin/iptables -A FORWARD -s 10.7.1.0/24 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -s 10.7.10.0/24 -j ACCEPT ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j MASQUERADE ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.7.1.0/24 ! -d 10.7.1.0/24 -j MASQUERADE ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.7.10.0/24 ! -d 10.7.10.0/24 -j MASQUERADE ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 51820 -j ACCEPT ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 49666 -j ACCEPT ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 49667 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -s 10.7.0.0/24 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -s 10.7.1.0/24 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -s 10.7.10.0/24 -j ACCEPT ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j MASQUERADE ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j MASQUERADE ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes [Install] WantedBy=multi-user.target