I'm starting to wonder if the Linux networking stack has become a bit too layered.<p>I recently spent some time debugging a Wireguard tunnel on a VPS. Simple 'ip r sh' checks and tcpdump'ing weren't revealing the full picture, and it turned out an obscure 'ip rule' added by the VPS provided was redirecting the traffic to the loopback for reasons.<p>It seems like policy-based routing (via ip rule) adds an extra, opaque, layer before the regular routing table. The packet router (below routing) further complicates things.