Hi

I have been using wireguard for a while now and discovered an issue with
routes created by macOS and iOS GUI clients. The issue is that wireguard
does not create a route to the endpoint via a default route. So when you
specify AllowedIPs = 0.0.0.0/0 (excluding private IPs does not change
anything) on a client, everything just stops working because 0.0.0.0/0 is
now reachable only through wireguard tunnel, which is obviously not
reachable as there is no route to it through normal internet connection.

Pretty much, the routes look like this:
*default via 10.80.0.1 dev wg0* - default route through wg
*default via 10.0.0.1 dev eth0* - old default route through ethernet
*10.0.0.0/24 <http://10.0.0.0/24> dev eth0*

When they have to look like this:
*default via 10.80.0.1 dev wg0 *- default route through wg
*default via 10.0.0.1 dev eth0* - old default route through ethernet
*1.2.3.4/32 <http://1.2.3.4/32> via 10.0.0.1 dev eth0* - specific route to
wireguard endpoint (1.2.3.4 here) through ethernet *which is missing*

*10.0.0.0/24 <http://10.0.0.0/24> dev eth0*

Right now the only workaround is manually calculating AllowedIPs CIDRs
excluding the endpoint address. I assume this is not by design and should
be fixed by either creating a route to wg endpoint through default gateway
or excluding endpoint IP from AllowedIPs without having to do it manually
in the config.