I set up my machine going by the tutorial here to make a Wireguard interface the only interface (so any of my applications can only use that to access the internet).

This works as intended, but now I want to exclude my LAN (192.168.0.0/16) from it, so I can access it by ssh, use a http(s) reverse proxy, etc.

New to ip I tried setting up a veth (vethVPN/vethPhys) pair and set the the route for 192.168.0.0/16 via vethPhys IP:

ip link add name vethVPN type veth peer name vethPhys
ip link set vethPhys netns physical
ip -n physical addr add 10.0.0.1/32 dev vethPhys
ip -n physical link set vethPhys up
ip link set vethVPN up
ip -n physical route 192.168.0.0/16 via 10.0.0.1

What do I do wrong? Whats the correct way to accomplish this?

I set up my machine going by the tutorial here to make a Wireguard interface the only interface (so any of my applications can only use that to access the internet).

This works as intended, but now I want to exclude my LAN (192.168.0.0/16) from it, so I can access it by SSH, use a HTTP(S) reverse proxy, etc.

New to ip I tried setting up a veth (vethVPN/vethPhys) pair and set the the route for 192.168.0.0/16 via vethPhys IP:

ip link add name vethVPN type veth peer name vethPhys
ip link set vethPhys netns physical
ip -n physical addr add 10.0.0.1/32 dev vethPhys
ip -n physical link set vethPhys up
ip link set vethVPN up
ip -n physical route 192.168.0.0/16 via 10.0.0.1

What do I do wrong? Whats the correct way to accomplish this?