diff --git a/pkg/agent/config/node_config.go b/pkg/agent/config/node_config.go
index 2908c1e2724..6251cf1ce16 100644
--- a/pkg/agent/config/node_config.go
+++ b/pkg/agent/config/node_config.go
@@ -263,7 +263,14 @@ func (nc *NetworkConfig) NeedsTunnelToPeer(peerIP net.IP, localIP *net.IPNet) bo
 }
 
 func (nc *NetworkConfig) NeedsTunnelInterface() bool {
-	return nc.TrafficEncapMode.SupportsEncap() || nc.EnableMulticlusterGW
+	// For encap or hybrid mode, we need to create the tunnel interface, except if we are using
+	// WireGuard, in which case inter-Node traffic always goes through the antrea-wg0 interface,
+	// and tunneling is managed by Linux, not OVS.
+	// If multi-cluster gateway is enabled, we always need the tunnel interface. For example,
+	// cross-cluster traffic from a regular Node to the gateway Node for the source cluster
+	// always goes through antrea-tun0, regardless of the actual "traffic mode" for the source
+	// cluster.
+	return (nc.TrafficEncapMode.SupportsEncap() && nc.TrafficEncryptionMode != TrafficEncryptionModeWireGuard) || nc.EnableMulticlusterGW
 }
 
 // NeedsDirectRoutingToPeer returns true if Pod traffic to peer Node needs a direct route installed to the routing table.