[agwa]

In general, rule-based solutions are good if they use fwmark, but this gives me pause:

> And finally we add a convenience feature for still accessing the local network, whereby we allow packets without the fwmark to use the main routing table, not the WireGuard interface's routing table, if it matches any routes in it with a prefix length greater than zero, such as non-default local routes. [https://www.wireguard.com/netns/#improved-rule-based-routing]

Doesn't that completely neutralize the protection against a DHCP server sending malicious routes or a gigantic subnet mask?

[zokier]

its just a default convenience feature from wg-quick, its not intended to be something that fits all usecases; on trusted networks split-tunneling like that makes lot of sense