Client Config notes

Ran this on all the hosts in the cluster; sysctl -q net.ipv4.conf.all.src_valid_mark=1

Needed the privileged & net_admin for tunnel binding

        - image: linuxserver/wireguard
          securityContext:
            privileged: true
            capabilities:
              add: ["NET_ADMIN", "SYS_MODULE"]
          env:
          - name: PUID
            value: "1000"
          - name: PGID
            value: "1000"
          name: wireguard
          volumeMounts:
          - name: config-wg
            mountPath: /config
          - name: modules
            mountPath: /lib/modules

Spent a lot of time troubleshooting intermittent DNS, this was because of overzealous iptables kill-switches from mullvad blocking the upstream dns server when the cluster DNS didn't have the off hand response, as well as blocking ICMP and other local networks which prevented side-cars from having access from the local net (like qbittorrent over 8080 on 192.168 network)

My final client configuration:

[Interface]
PrivateKey = <mullvad provided key>
Address = <mullvad provided IP>/32
DNS = <mullvad DNS server>
PostUp = ip route add 192.168.0.0/16 via 169.254.1.1
PreDown = ip route del 192.168.0.0/16 via 169.254.1.1

[Peer]
PublicKey = <mullvad provided key>
AllowedIPs = 0.0.0.0/0 #Actually a take-over ip list
Endpoint = <mullvad server IP>:51820