(Apologies in advance if this email gets orphaned. I don't understand how mailing lists work.) What I can see is that wireguard uses the default route interface as it's source IP for any outgoing packets. This means that if you receive a connection request from eth1, if the default route is eth0 it will attempt to send out on the IP of eth0. By design or lack of features, it ignores what the interface and IP the incoming packet was received on. I'm trying to do something similar to you but even with your IPtables I can't get mine to work. I have a more complicated setup and I can't seem to get the outbound packets to follow a routing table using a mark. My current solution is to rebuild my vpns and iptables by changing my routes to make wireguard defaultly reply on the correct interface for my situation.