Document link:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-a-wireguard-vpn#configuring-a-wireguard-client-by-using-nmcli

Section number and name:

7.10. Configuring a WireGuard client by using nmcli 

Describe the issue: 

When following the documentation describing how to setup a Wireguard client setup with nmcli and AllowedIps 0.0.0.0/0 the setup does not work. When setting AllowedIps 0.0.0.0/0, NetworkManager configures the network to use mark based routing to route all local traffic within the Wireguard tunnel and keep said tunnel working. To work this, requires sysctl set with net.ipv4.conf.all.src_valid_mark=1. By default on RHEL 10, the value is set to 0. As such, the tunnel is not working by just following the documentation.

This issue has been tested on RHEL10 with latest update but not on previous versions. I don't know either in which version mark based routing was added to NetworkManager/nmcli management for Wireguard and as such which exact first rhel version is impacted. To be noted, the wireguard documentation is similar in previous versions than the one for RHEL10.

Impact of this issue:

Without setting net.ipv4.conf.all.src_valid_mark=1 when AllowedIPs is set to 0.0.0.0/0, Wireguard client setup is not working.

Suggestions for improvement:
Include in the documentation a mention that net.ipv4.conf.all.src_valid_mark=1 must be set when setting AllowedIps to 0.0.0.0/0.