Ssh access when wireguard is active

Hi, I’ve wireguard connection to Surfshark setup and working on vero v, all is working fine except I can’t ssh into it from wan network, from lan it works, when wg is up, all is working fine when I bring wg down?
I tried to add routing table, rules… I did:

sudo iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 10
echo “100 eth0_table” | sudo tee -a /etc/iproute2/rt_tables
sudo ip route add default via 192.168.0.1 dev eth0 table eth0_table
sudo ip rule add fwmark 10 lookup eth0_table

I wanted to mark connection coming in from eth0 interface and route response to the same interface, because I think it responds over wireguard interface, but this doesn’t work.
I also tried port based marking -p 22 instead -i eth0.
Connecting device never gets rejected or anything, just hangs, I supose waiting for reply.
Hope someone could help with this?
ty

Did you configure ssh to listen on the wg interface?
Also are you sure you want to have ssh open on wireguard?

No, I want parallel ssh with wg, I have port knocking that opens ssh port on routrer and to be able to ssh to my vero when wg is up, it works fine when I bring wg down so I want to mark connection that comes in vero on port 22 so it is routed back to the same interface/ip that it came in. hope it’s clear enough?

So have you ssh listen on the wg interface?

It works, the key was to:
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
in /etc/sysctl.conf
and to mangle the OUTPUT chain on wg-interface instead of PREROUTING chain on eth0-interface
like iptables -A OUTPUT -t mangle -o $VPNINTERFACE -p tcp --sport 22 -j MARK --set-mark 10
in case someone is interested.