WireGuard is partially broken on NixOS

Hi folks,

A year ago when I used Debian I remember that I used two WireGuard tunnels at the same time:

# first.conf
AllowedIPs =
# second.conf
AllowedIPs =,

And it worked (simply via wg-quick up). In other words everything went through first except when I wanted to connect and Those connections used the second interface.

For some strange reasons, it doesn’t work now when I’m on NixOS. I confirmed that both first and second work with AllowedIPs = but when I connect both or when I connect the second only, I can’t reach and

I spent several hours trying to debug it, it’s not FW issue (I nft flush ruleset to make sure) and it’s not DNS issue since I tried to connect and directly.

Could you please help?

Is it possible that WireGuard is somehow broken on NixOS?

Thank you.

Could it be that the order of the configurations does matter. Maybe, you need the special case first and then the catch all one?

Check your routing table & rules:

ip route show table all
ip rule

Thank you for the reply.

That looks as it should - the default rule adds ip rule and the non-default just adds items into the default routing table.

I discovered that it is Network Manager that causes the issue. When I reboot and do all configuration via wg-quick, everything works fine. All traffic uses the default VPN except traffic to AllowedIps in the second VPN.

But when I nmcli connection import type wireguard file via Network Manager, only the default VPN works. The VPN with specified IPs doesn’t. So it’s definitely not a problem in NixOS.

Thank you.