[WireGuard] Troubleshooting with WireGuard

Baptiste Jonglez baptiste at bitsofnetworks.org
Wed Jul 13 19:51:56 CEST 2016

On Wed, Jul 13, 2016 at 07:39:21PM +0200, Daniel Kahn Gillmor wrote:
> On Wed 2016-07-13 18:57:45 +0200, Baptiste Jonglez wrote:
> > Actually, it does !  This dual usage brings more confusion.  Despite the
> > name, "AllowedIPs" controls both:
> >
> > 1) packets that are *received* from a peer (by looking at the source IP
> >    address after decrypting an incoming packet, and only allowing the
> >    packet if it matches an AllowedIPs rule for this peer)
> >
> > 2) packets that are *sent* through a wireguard interface, where the right
> >    peer is found by looking for a matching AllowedIPs entry (using the
> >    destination IP address of the packet, this time).  That's the
> >    "cryptokey routing" part.
> so if a given interface has two peers, their AllowedIPs (or whatever we
> end up calling it) are not permitted to overlap?

It's a longest-prefix-match on the destination IP address.  So, the
"AllowedIPs" for two peers can overlap, but then the most specific prefix
will win.  If two peers have the exact same AllowedIPs entry, then I'm not
sure what happens.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160713/1752ed2f/attachment.asc>

More information about the WireGuard mailing list