I also had issues with allowedIPs = [ "0.0.0.0/0" ], but was able to solve it with an ip route.
The Problem: including 0.0.0.0/0 as an allowed IP routes all traffic through the Wireguard interface (good!), including the wireguard traffic itself (not good!). As far as I can tell, all network traffic ends up in a loop and never actually leaves the machine.
The Solution: Add a more specific ip route allowing traffic to the VPN via the default gateway.
I controlled the route with the following added to my nix config:
networking.wireguard.interfaces.wg0 = {
postSetup = "${pkgs.iproute}/bin/ip route add <vpn-public-ip> via <default-gateway>";
postShutdown = "${pkgs.iproute}/bin/ip route del <vpn-public-ip> via <default-gateway>";
};
where in my case <default-gateway> happened to be 192.168.1.1 and <vpn-public-ip> is the public IP (i.e. not 10.x.x.x) of the Wireguard server. Adding this to the config now properly routes all traffic through the Wireguard connection.
Currently, the wiki page for Wireguard demonstrates a client config with allowedIPs = [ "0.0.0.0/0" ], but as far as I can tell includes nothing to add a route for the VPN itself, at least in the section for the basic Wireguard client. Perhaps I missed something, or maybe I’m misunderstanding the ip routes, but if not, should the wiki be updated to include the client ip route rules?