Issues with excluding private IPs

Oliver Benning obenning at
Thu Aug 15 03:36:49 CEST 2019

My setup (may be unrelated):

I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.

The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.

The issue (on both Mac and iPhone clients):
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=, it does not work when using the "Exclude private IPs option".

Log just shows:
[NET] peer(5m6B…jmno) - Sending handshake initiation
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4>[EXTERNAL-IP]:51820: sendto: network is unreachable

I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.

This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:

AllowedIPs =

ExceptedIPs =


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list