One that I could not get to work properly with Wireguard is port-forwarding without masquerading.

I need the source IP to remain intact, but unless I add 0.0.0.0/0 to the AllowedIPs, the Wireguard peer will drop the packet. If I do add 0.0.0.0/0 to AllowedIPs then it adds a route which prevents the response from my application to go back to the source.

Eventually gave up on it. Nobody had a clue how to fix this or what actually needs to be in the nft or firewalld rules for this to actually work properly.

If you are using `wg-quick`, then you need `Table = off` to disable adding routes to the system route table automatically. After that, then you can add routes manually.

When a public Internet client connects to my VPS, WG routes the port traffic like 443 to the WG client here at home, then through Apache reverse proxy then to a node in my kube cluster running a spring boot app which is my main site. The logs shows the IP of the incoming public Internet client.

The response is routed all the way back out to the Internet client.

Is what I'm describing not achieving what you're discussing?

Happy to post a sanitized version of my server and client config.