net-vpn/wireguard-tools[wg-quick] depends on ||(net-firewall/nftables net-firewall/iptables). However, wg-quick works just fine without either one installed, and without the corresponding kernel options enabled either. From inspection of the wg-quick source code (itβs just a shell script), it seems that iptables/nftables are only called if one elects to set a *default* route via a Wireguard VPN connection, but they are not needed if one only elects to route certain traffic through the VPN (as is my case, and presumably quite a common case, for connecting to an office VPN from home). In fact, there is even already a mention of this fact in the ebuild: wg_quick_optional_config_nob mentions that the routing, iptables, and nftables config options are only needed for automatic routing of default routes, not for general WireGuard usage. It therefore does not make sense to me that the userspace applications are pulled in unconditionally when wg-quick is installed. Reproducible: Always
> However, wg-quick works just fine without either one installed, and without the corresponding kernel options enabled either. It needs fwmark (firewall mark) to work. It uses it in iptables/nftables to make sure that only wireguard packets get out so that nothing leaks.
> It needs fwmark Actually my bad, it doesn't, it's optional.