If you actually need to send tunneled WireGuard traffic through a different physical network interface than the one through which you received it, you would likely need two separate WireGuard interfaces (one for each physical interface).
However, you're probably overthinking this. You probably don't need to use both interfaces -- you probably just need to set up a WireGuard tunnel through just one of the physical network interfaces, and use WireGuard's persistent-keepalive functionality to keep the tunnel open for bi-directional communication.
Let's call your host with two interfaces "Host A", and the host you're trying to communicate with over WireGuard "Host B". These are the three usual ways you'd do this:
1. Host A sets up the tunnel to Host B
If Host A can initiate connections to Host B's public IP address and WireGuard listen port (like through your Host A's ens7 interface), configure Host A with Host B's public IP address and WireGuard listen port (via the Endpoint
setting), and add a PersistentKeepalive
setting to it:
# /etc/wireguard/wg0.conf on Host A
[Interface]
...
# connection to Host B
[Peer]
...
Endpoint = <Host B public IP>:<Host B listen port>
PersistentKeepalive = 25
When you start up the WireGuard interface on Host A, it will attempt to set up a WireGuard connection with Host B, and send a keepalive packet to Host B every 25 seconds. These keepalive packets should keep the connection open through any firewalls between Host A and Host B, allowing both hosts to send and receive traffic to each other on demand (adjust the PersistentKeepalive
seconds as necessary to make sure it triggers those firewalls keep the connection state active).
In this case, don't include an Endpoint
or PersistentKeepalive
setting in Host B's WireGuard config.
2. Host B sets up the tunnel to Host A
If Host B can initiate connections to Host A's public IP address and WireGuard listen port (like through your Host A's ens3 interface), instead configure Host B with Host A's public IP address and WireGuard listen port (via the Endpoint
setting), and add a PersistentKeepalive
setting to Host B:
# /etc/wireguard/wg0.conf on Host B
[Interface]
...
# connection to Host A
[Peer]
...
Endpoint = <Host A public IP>:<Host A listen port>
PersistentKeepalive = 25
In this case, when you start up the WireGuard interface on Host B, it will attempt to set up a WireGuard connection with Host A, and send a keepalive packet to Host A every 25 seconds. Don't include an Endpoint
or PersistentKeepalive
setting in Host A's WireGuard config in this case.
3. Host A and Host B both set up a tunnel to a third host
If Host A cannot initiate connections to Host B's public IP address and WireGuard listen port, and Host B cannot initiate connections to Host A's public IP address and WireGuard listen port, set up a third host, "Host C", at some other location with a public IP address and WireGuard listen port to which both Host A and Host B can connect.
Configure both Host A and Host B with Host C's public IP address and WireGuard listen port, and add a PersistentKeepalive
setting to both:
# /etc/wireguard/wg0.conf on Host A
[Interface]
...
# connection to Host C
[Peer]
...
Endpoint = <Host C public IP>:<Host C listen port>
PersistentKeepalive = 25
(Same for Host B):
# /etc/wireguard/wg0.conf on Host B
[Interface]
...
# connection to Host C
[Peer]
...
Endpoint = <Host C public IP>:<Host C listen port>
PersistentKeepalive = 25
Then configure Host C as a WireGuard hub, forwarding traffic back and forth through its WireGuard connections between Host A and Host B.