Behaviour of multiple Allowed-IPs 0.0.0.0/0 or ::0/0?
Samuel Holland
samuel at sholland.org
Thu Dec 27 20:23:22 CET 2018
On 12/27/18 10:27, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> how does Wireguard behave with multiple peers with Allowed-IPs 0.0.0.0/0 or
> ::0/0?
That's not allowed. To quote the WireGuard homepage: "when sending packets, the
list of allowed IPs behaves as a sort of routing table, and when receiving
packets, the list of allowed IPs behaves as a sort of access control list."
If two peers had the same network "0.0.0.0/0" in AllowedIPs, how would you
choose which peer to send packets to? You can't, so WireGuard prohibits
duplicating AllowedIPs networks across peers. If you add "0.0.0.0/0" to the
AllowedIPs of one peer, it is removed from the AllowedIPs of every other peer.
(So the end result is that the last peer in the configuration file ends up with
the AllowedIPs of 0.0.0.0/0).
If you have static allocation of internal IP addresses, then you don't want
AllowedIPs of 0.0.0.0/0. If Host A is always assigned IP 10.1.2.3, then its
AllowedIPs only need to be 10.1.2.3. Host B can have AllowedIPs of 10.1.2.4 etc.
and they don't overlap.
On the other hand, if you want to do dynamic routing or multipath, the best
solution for now is to have a separate WireGuard interface for each peer. Then
you can use 0.0.0.0/0, because routing decisions are made at the kernel routing
layer, not by WireGuard.
Hope that helps,
Samuel
More information about the WireGuard
mailing list