maybe use routing?
Discussion
I managed to route traffic through the wireguard interface to the other server, but it never goes out to the public network. I tried everything chatgpt told me, but the problem is I haven't read a 200 page book about networking.
refer to: https://wiki.archlinux.org/title/WireGuard
section 2.4.3 systemd-networkd: routing all traffic over WireGuard
special attention to exempt the endpoints public ip.
works, zero iptables used.
well, zero on the client, simple masquerade on the exit node