Setting source IP for router generated traffic (WireGuard specifically)

I have a BGP VyOS install running my AS. I am currently peering at 2 IXs which of course have private network IPs meant to be used inside the IX network. I am running WireGuard and the same router for some site-to-site and RoadWarrior traffic. I have noticed that the router will, after setting the WireGuard Peer IP upon peer connection, use the interface that has the best route to send packets back to the other peer (as it should). Since those packets go over IXs, the router is using the IP that it has on the IX (in the IANA GHOST-NET region) as the SRCIP of the packets instead of a publically routable one. Is it possible to force the router to use an IP I have on a dummy interface (dum1) as the SRCIP on all interfaces when non-local traffic is involved? I have already tried an SNAT and that didn’t work. I have been able to get this working with some system services like DNS by specifying the source-address, but I can’t seem to be able to do it for WireGuard.

sNAT rule is ugly workaround, but should work. Maybe rule gets lost if applied before wg interface is present, or doesn’t have an IP address yet
Maybe you can create a more generic rule , like using wg+ as interface

It appears I forgot to clear conntrack after commiting the rule. Packets now have correct source IP, but the source port changes. Is there a way to do this better? I think the source port not being the wireguard port is making WG not work.

Playing further, I still seem to have the issue of the source port not being 51820 even though it’s free in the NAT table. That only happens if I flush conntrack while a peer is connected. If no peers are connected NAT will assign 51820 as the SPORT of the rule. Is this a vyos issue or something else?

Just to clarify, the SNAT rules are set on the outbound interfaces and dont touch the wg interfaces, since the wg network has direct publically routable IPs

Is your wg instance listening on those ports itself?

Try setting source port using the existing sNAT rule

@CraftByte , use an IP address with netmask /32 for both source address and translation address in the NAT rule and the port should stay the same after translation.