wg addconf :: AllowedIPs gets deleted with the additions of peers

Adrian Sevcenco adrian.sev at gmail.com
Tue Jun 26 09:34:48 CEST 2018

On 06/25/2018 11:37 PM, Toke Høiland-Jørgensen wrote:
> Adrian Sevcenco <adrian.sev at gmail.com> writes:
>> On 06/25/2018 10:55 PM, Toke Høiland-Jørgensen wrote:
>>> Adrian Sevcenco <adrian.sev at gmail.com> writes:
>>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
>>>> added with addconf
>>> You can't have the same AllowedIPs for two different peers... :)
>> Err... so, it's a bug or a feature?
> A feature. The AllowedIPs controls which IP addresses will be routed to
> that peer. They refer to addresses inside the tunnel. So depending on
> your setup you'd specify the single IP you assign each peer, or possibly
> any subnets behind that peer you want routed through the tunnel.
Then, how can i set a default allow everything for each peer? Should i 
make a different tunnel for each peer?
But given your explanation i still feel that it is a bug that when an 
AllowIPs is declared with the addition of a second peer the declaration 
from the first peer gets erased ...
It should be either a global setting per tunnel OR an individual setting 
per peer (in which case it should stay set)

Thank you!!

>> If it is a feature how can i make server accept whatever ip get the
>> client(s) in various networks?
> Changing IPs *on the outside* of the tunnel will be accepted
> automatically. The Endpoint specifier is only the initial address; if a
> device changes its IP, it'll just keep sending packets from the new IP,
> and because they are authenticated by the crypto, the other peer will
> accept them and change its notion of what IP the other peer is
> reachable at automatically. So as long as only one peer changes its IP
> at a time, roaming mostly just works :)
> -Toke

More information about the WireGuard mailing list