@Nimbius666 @phnt so the one thing I really needed was on the VPS

sudo sysctl net.ipv4.conf.all.proxy_arp=1

that gets the traffic in

The other problem is that I have to do AllowedIPs=0.0.0.0/0

but this pushes all my traffic out the Wireguard tunnel which breaks internet access because normal traffic is going to have a source IP of my jail, which is RFC1918

Fortunately all the things I really need to access are also on local networks so a more specific static route fixes that. I'll still be able to get packages and stuff, but you can't make new network connections from here out to the internet.

Luckily I don't really need that so it's kind of a security feature anyway as if someone compromised the webserver and got a shell they couldn't reach the real internet from it. But I can still reach my package server, do updates etc because all those operations can happen from outside the jail

Anyway, it works. This wasted a lot of my energy today but goddamn it I wanted a working static IP on this because my ISP won't sell me any

I miss the /27 I used to have. Or the /23 from ages ago.