--------------------------| WG Host ||------------------------|

1. --------------------------
2. | WG Host |
3. |------------------------|
4. | eth0: 192.168.1.30 | <- dhcp, home network, default gateway
5. | tun0: 214.144.203.5 | <- vpn with public ipv4 address, gw for public services
6. | vmnet: 192.168.5.1 | <- virtual machines, server daemons
7. | wg0: 192.168.10.1 | <- wireguard
8. --------------------------
9.  
10. iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
11.  
12. # Always set source IP to VPN ip, so home network clients do not get confused
13. iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 214.144.203.5
14. iptables -A POSTROUTING -t nat -p tcp --sport 443 -j SNAT --to 214.144.203.5
15.  
16. # public services, default gateway via vpn
17. iptables -A PREROUTING -t mangle -p tcp --sport 80 -j MARK --set-mark 2
18. iptables -A PREROUTING -t mangle -p tcp --sport 443 -j MARK --set-mark 2
19.  
20. # Do the same for ssh & wireguard (123/udp)
21. iptables -A OUTPUT -t mangle -p tcp --sport 22 ! -d 192.168.1.0 -j MARK --set-mark 2
22. iptables -A OUTPUT -t mangle -p udp --sport 123 ! -d 192.168.1.0 -j MARK --set-mark 2
23.  
24. ip rule add fwmark 2 table 2
25. ip route add default via 214.144.203.4 dev tun0 table 2
26. ip route add 192.168.5.0/24 dev vmnet table 2
27. ip route add 192.168.1.0/24 dev eth0 table 2