I have been using wireguard for a while now and discovered an issue with routes created by macOS and iOS GUI clients. The issue is that wireguard does not create a route to the endpoint via a default route. So when you specify AllowedIPs = 0.0.0.0/0 (excluding private IPs does not change anything) on a client, everything just stops working because 0.0.0.0/0 is now reachable only through wireguard tunnel, which is obviously not reachable as there is no route to it through normal internet connection.

Pretty much, the routes look like this:

default via 10.80.0.1 dev wg0 - default route through wg

default via 10.0.0.1 dev eth0 - old default route through ethernet

When they have to look like this:

default via 10.80.0.1 dev wg0 - default route through wg

default via 10.0.0.1 dev eth0 - old default route through ethernet

1.2.3.4/32 via 10.0.0.1 dev eth0 - specific route to wireguard endpoint (1.2.3.4 here) through ethernet which is missing

Right now the only workaround is manually calculating AllowedIPs CIDRs excluding the endpoint address. I assume this is not by design and should be fixed by either creating a route to wg endpoint through default gateway or excluding endpoint IP from AllowedIPs without having to do it manually in the config.