Tunnel a specific user's traffic over a WireGuard VPN connection

We’re using wg-quick and its systemd unit to manage the tunnel. Assuming you’ve set up /etc/wireguard/vpn.conf, add these rules to the [Interface] section:

Table = vpn
PostUp = ip rule add to table main priority 1000
PostUp = ip rule add uidrange 1000-1000 table vpn priority 1001
PreDown = ip rule del to table main
PreDown = ip rule del uidrange 1000-1000 table vpn

Table configures wg-quick to create a vpn routing table. It won’t be used unless you add rules to send traffic to that table.

The first rule excludes traffic on the local 10.*.*.* network from being tunneled over WireGuard. I use this so that my ZeroTier connections keep working.

The second rule is what actually causes traffic from the selected users to be sent over WireGuard.

To get the UID for a user, use id -u myusername.