There is no need for this and WireGuard was designed to avoid needing something like this. The AllowedIPs binding gives you a mapping between source IP and peer public key.
So, if you have on wg0: PublicKey = ABCD AllowedIPs = 192.168.33.99/32 Then you can safely have a netfilter rule that says: iptables -A INPUT -i wg0 -s 192.168.33.99/32 -j ACCEPT You only need to match two things: the wireguard interface and the source IP. The strong binding to the public key is the primary security property that WireGuard gives you via cryptokey routing.
