Jason,
To elaborate on https://lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html, there is something that can be clarified …

I have a multihomed server (our router for everything) attached to a core switch with vlans, and the router runs openvswitch (but that’s besides the point).

We run a bunch of wg peers, interconnected to each other (30 or so), but most connect directly to our router.

The router has an Uplink interface with a /30 and I use that interface solely to forward packets to our (bgp routed) default gw (Provider).

On the same router, I have a Public Interface, also with a public IP (/24) and have on the router itself some IP addresses used for DNAT, and here specifically one for Wireguard. (so NOT the Uplink IP address)

When wireguard clients connect, their config shows their peer to be the Uplink IP address instead of the IP on the Public interface that was specifically assigned for wireguard (wgsrv), and as such packets sent to the Uplink IP address were dropped by the firewall.

You might say: open up the port for wireguard on the Uplink and off you go. Which I did, to solve my immediate problem. (still find it ugly)

But no we’re getting a second provider in da house, that will be connected the same way as the other, with that link being Uplink2. So now I really need my bgp routed Public IP address to be the sole answering wireguard IP packets, so that I can be sure that if one of my bgp peers dies, the same Public ip address is used by the clients, not the one wireguard deduces from the subnet with the default route.

Now, wireguard will use the incoming UplinkX ip as source and advertise it to the clients connected through either one that has the same metric and routing policy

Voila… in a nutshell ;-)

Jan