When connecting to a WireGuard VPN using NetworkManager on RHEL/CentOS systems, the connection succeeds but there is zero internet or network connectivity (pings fail). Meanwhile, OpenVPN works perfectly fine.
Unlike OpenVPN, which adds standard routes to your main routing table, NetworkManager's WireGuard implementation uses Policy-Based Routing (PBR) and firewall marks (fwmark) to route traffic through a hidden routing table (usually table 51963).
RHEL and CentOS enforce Strict Reverse Path Filtering (rp_filter=1) by default for security. The kernel's anti-spoofing mechanism sees incoming return packets on your physical interface, checks the main routing table, gets confused by the fwmark setup, and drops the packets.
You need to tell the kernel's Reverse Path Filter to take routing marks into account by enabling src_valid_mark.
1. Create a persistent sysctl configuration:
echo "net.ipv4.conf.all.src_valid_mark = 1" | sudo tee /etc/sysctl.d/99-wireguard.conf2. Apply the change immediately:
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf3. Restart your WireGuard connection:
sudo nmcli connection down <your_connection_name>
sudo nmcli connection up <your_connection_name>(Note: src_valid_mark is strictly an IPv4 feature. IPv6 handles reverse path filtering differently, so no IPv6 equivalent is needed).