I want traffic of specific applications to go through wireguard tunnel using iptables mark and ip rule, and I find someone has encountered the exactly same problem.
The problem is: after setting up iptables and ip rule, the router itself can go through wireguard tunnel, but devices from lan can't (ping timeout, traceroute no reply).
I have checked many times firewall rules do not block any traffic from/to lan. In deed, it's due to missing rules in the new table.
To solve that problem, create 90-wgroute in /etc/hotplug.d/iface, replace ipip6 with your own table name or id, and replace wg with your wireguard interface name.
#!/bin/sh
if [[ "$ACTION" = ifup && "$INTERFACE" = wg ]]; then
sleep 1
i=ipip6
ip route | grep link | while read ROUTE
do
[ -z "$(ip route show table $i | grep "$ROUTE")" ] && ip route add $ROUTE table $i && logger "Found a missing route in table $i, add it."
done
fi