Behaviour of multiple Allowed-IPs or ::0/0?

Samuel Holland samuel at
Thu Dec 27 20:23:22 CET 2018

On 12/27/18 10:27, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> how does Wireguard behave with multiple peers with Allowed-IPs or 
> ::0/0?

That's not allowed. To quote the WireGuard homepage: "when sending packets, the
list of allowed IPs behaves as a sort of routing table, and when receiving
packets, the list of allowed IPs behaves as a sort of access control list."

If two peers had the same network "" in AllowedIPs, how would you
choose which peer to send packets to? You can't, so WireGuard prohibits
duplicating AllowedIPs networks across peers. If you add "" to the
AllowedIPs of one peer, it is removed from the AllowedIPs of every other peer.
(So the end result is that the last peer in the configuration file ends up with
the AllowedIPs of

If you have static allocation of internal IP addresses, then you don't want
AllowedIPs of If Host A is always assigned IP, then its
AllowedIPs only need to be Host B can have AllowedIPs of etc.
and they don't overlap.

On the other hand, if you want to do dynamic routing or multipath, the best
solution for now is to have a separate WireGuard interface for each peer. Then
you can use, because routing decisions are made at the kernel routing
layer, not by WireGuard.

Hope that helps,

More information about the WireGuard mailing list