[WireGuard] Troubleshooting with WireGuard

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 13 19:39:21 CEST 2016


On Wed 2016-07-13 18:57:45 +0200, Baptiste Jonglez wrote:
> Actually, it does !  This dual usage brings more confusion.  Despite the
> name, "AllowedIPs" controls both:
>
> 1) packets that are *received* from a peer (by looking at the source IP
>    address after decrypting an incoming packet, and only allowing the
>    packet if it matches an AllowedIPs rule for this peer)
>
> 2) packets that are *sent* through a wireguard interface, where the right
>    peer is found by looking for a matching AllowedIPs entry (using the
>    destination IP address of the packet, this time).  That's the
>    "cryptokey routing" part.

so if a given interface has two peers, their AllowedIPs (or whatever we
end up calling it) are not permitted to overlap?  That constraint should
probably be better documented as well.  It makes sense now that you
describe it, but it wasn't obvious from the current docs.

         --dkg


More information about the WireGuard mailing list