Reconciling "cryptokey-based" and regular routing

Tim Sedlmeyer tim at
Fri Mar 16 18:22:48 CET 2018

You need to create multiple wireguard interfaces and assign a single
peer to each.

On Fri, Mar 16, 2018 at 1:01 PM, Roman Mamedov <rm at> wrote:
> Hello,
> I need to have multiple gateways on my WG network that can provide access to
> the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing
> purposes.
> In WG terms this means I need to set AllowedIPs to on more than one
> peer. Then I would add routes into the regular routing table for various
> destinations,
> ip -4 route add via
> ip -4 route add via
> or
> ip -4 route add default \
>   nexthop via weight 1 \
>   nexthop via weight 1
> or whatever.
> But as documentation and some testing show, this can't really work in WG's
> "cryptokey-routing" system. If multiple hosts have as allowed IPs,
> WG just sends everything to a random one of them (the first one?),
> disregarding all of the routing table settings from the examples above.
> Is there any possibility to still use multiple routers like that?
> If not, then could you add an option to not use AllowedIPs for routing?
> Or at least to not enforce filtering on incoming packets -- then perhaps I
> could have only and in AllowedIPs for those hosts, and
> outgoing routing would work properly, with replies from Internet hosts not
> getting filtered out?
> (Apologies for multiple posts per day, I'm just deploying WireGuard for the
> first time today, and it's quite unusual compared to what I used before. I
> will stop soon :)
> --
> With respect,
> Roman
> _______________________________________________
> WireGuard mailing list
> WireGuard at

More information about the WireGuard mailing list