Wireguard VPN, whitelist applications/exclude from VPN?

Fedora Workstation 39 kernel 6.6.9-200.fc39.x86_64, NetworkManager 1.44.2

How can certain applications be excluded from the VPN tunnel? Especially Docker containers.

I tried creating a virtual interface but the routing failed, the Docker service was accessible locally but not across the network. As soon as the VPN is activated from NetworkManager, all ports close.

The goal is to just have certain applications excluded from the VPN and have them accessible from the internet using the real external IP, incoming and outgoing connections.

Say there is a Docker container on, this needs to be accessible.

Wireguard VPN is currently connected through NetworkManager, but any method would be welcome.

Hello @jdceubc ,
Welcome to :fedora: ,
I know there have been some doing things with wireguard and podman and you can likely do a search of discussions here to find their solutions. I found this which is specific to your question I think, but haven’t read it through, sorry … Routing Docker Host And Container Traffic Through WireGuard | LinuxServer.io.
I think in Fedora nmcli is still the tool for setting up network traffic whether virtual or physical.

[Edit] There is also Podmans documentation on this topic … podman/docs/tutorials/basic_networking.md at main · containers/podman · GitHub

and for more light reading … Getting Started with Podman | Podman

I do not know how to do this but i believe you can tell podman which network interfaces a container can see/access.

Set up the container to only see the interfaces you wish it to use.

sudo nmcli connection modify CONNECTION +ipv4.routing-rules \
    "priority 10000 table main from sport 443"
sudo nmcli connection up CONNECTION 

Policy-based routing - Wikipedia

Thank you! It motivated me to read into Linux routing a little more. Because the Docker virtual IP was not accessible and I am using Docker in host network mode, It now works like this:

priority 10000 table main from sport 8080

Where is your server’s IP address on your network and 8080 is the port your (Docker) application is running on.

The connection name (VPN name here) can be retrieved by running nmcli connection showor by auto completing with ‘tab’.

Run the command and it now automatically routes the traffic for my Docker application through the default route when the VPN is active.