I didn't think that AllowedIPs would filter traffic like that. But
could be wrong. :-)
Here's my take on your problem:
Add "Table = off" and "FwMark = 1234 (or other value)" to the wg config,
which will stop the routing tables being updated and add the routing
mark to all encrypted packets.
Hi Reiner!
I think the problem here is your client's AllowedIPs section. If you only want
to access one address, you only enter that target IP - not the whole internet
space (0.0.0.0/0). That's why everything is being routed out via your wg0.
So you should change that client AllowedIPs to 172
My basic setup of wg works, I can ssh from/to server or client.
But the real goal is to tunnel only traffic with a specific destination IP
via wireguard from client to server.
I.e. a local router, which allows direct access to the web,
_BUT_ all traffic going to the corporate server using wireguar
