[Question or Feature Request] Any wg1.conf option to limit peer IP as 1-to-1?

KeXianbin(http://diyism.com) kexianbin at diyism.com
Mon Dec 17 09:49:24 CET 2018


Sorry,

I found the definition in manual:
AllowedIPs — a comma-separated list of IP (v4 or v6) addresses with CIDR masks
from which incoming traffic for this peer is allowed and to which
outgoing traffic for this peer is directed

from: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html

On Mon, Dec 17, 2018 at 4:10 PM KeXianbin(http://diyism.com)
<kexianbin at diyism.com> wrote:
>
> It seems that "AllowedIPs" have nothing to do with refusing unwantted peer's IP.
> It only specifes the outgoing target IPs,
> For example,  I sometimes set "AllowedIPs=216.58.0.0/18" to enable me
> to visit https://www.google.com through the internet of the peer
> "10.1.0.3".
> On Mon, Dec 17, 2018 at 3:53 PM KeXianbin(http://diyism.com)
> <kexianbin at diyism.com> wrote:
> >
> > On my machine(10.1.0.1), does the option "AllowedIPs = 10.1.0.3/32" in
> > wg1.conf take effects in both input and ouput directions?
> > It seems that "AllowedIPs = 10.1.0.3/32" only added ip route rule
> > "10.1.0.3 dev wg1  scope link" on my side,
> > can it prevent the peer to send packets to my 10.1.0.1:80 from 10.1.0.4?
> > On Mon, Dec 17, 2018 at 3:40 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> > >
> > > On Mon, Dec 17, 2018 at 2:42 AM KeXianbin(http://diyism.com)
> > > <kexianbin at diyism.com> wrote:
> > > > AllowedIPs = 10.1.0.3/32
> > > > [...]
> > > > If I want to limit the peer to a fixed IP 10.1.0.3, any wg1.conf
> > > > OPTION to config it?
> > > >
> > > > Currently,  the peer can set any IP, for example 10.1.0.4, and can
> > > > send packets to my http://10.1.0.1:80 from 10.1.0.4.
> > >
> > > Setting that peer's allowedips to 10.1.0.3/32 should accomplish
> > > exactly what you want; that peer is _only_ allowed to send packets as
> > > that IP. If the peer attempts to send packets as 10.1.0.4, WireGuard
> > > should reject those packets. If it doesn't, that sounds like a major
> > > bug.


More information about the WireGuard mailing list