wg addconf :: AllowedIPs gets deleted with the additions of peers

Eric Light eric at ericlight.com
Tue Jun 26 09:44:39 CEST 2018

Hi, Adrian!

The reason you can't have the _same_ AllowedIPs for two different peers is because that's what's used to set the routes.  How can you set two different routes for the same destination?

So, because you're trying to set, there can only ever be one peer at the end of that route.

What you need to do is set a more precise range for the AllowedIPs.  For example, and (for two hosts on different networks), or and (for two hosts on the same network).

Then if you want one host that just *everything else* tunnels through, you can set a - which behaves as your default route.

Hope that helps  :)


Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Tue, 26 Jun 2018, at 19:34, Adrian Sevcenco wrote:
> On 06/25/2018 11:37 PM, Toke Høiland-Jørgensen wrote:
> > Adrian Sevcenco <adrian.sev at gmail.com> writes:
> > 
> >> On 06/25/2018 10:55 PM, Toke Høiland-Jørgensen wrote:
> >>> Adrian Sevcenco <adrian.sev at gmail.com> writes:
> >>>
> >>>> Hi! It seems that AllowedIPs declaration gets erased when peers are
> >>>> added with addconf
> >>>
> >>> You can't have the same AllowedIPs for two different peers... :)
> >>
> >> Err... so, it's a bug or a feature?
> > 
> > A feature. The AllowedIPs controls which IP addresses will be routed to
> > that peer. They refer to addresses inside the tunnel. So depending on
> > your setup you'd specify the single IP you assign each peer, or possibly
> > any subnets behind that peer you want routed through the tunnel.
> Then, how can i set a default allow everything for each peer? Should i 
> make a different tunnel for each peer?
> But given your explanation i still feel that it is a bug that when an 
> AllowIPs is declared with the addition of a second peer the declaration 
> from the first peer gets erased ...
> It should be either a global setting per tunnel OR an individual setting 
> per peer (in which case it should stay set)
> Thank you!!
> Adrian
> > 
> >> If it is a feature how can i make server accept whatever ip get the
> >> client(s) in various networks?
> > 
> > Changing IPs *on the outside* of the tunnel will be accepted
> > automatically. The Endpoint specifier is only the initial address; if a
> > device changes its IP, it'll just keep sending packets from the new IP,
> > and because they are authenticated by the crypto, the other peer will
> > accept them and change its notion of what IP the other peer is
> > reachable at automatically. So as long as only one peer changes its IP
> > at a time, roaming mostly just works :)
> > 
> > -Toke
> > 
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

More information about the WireGuard mailing list