Support ip6tables-like network masks for allowed-ips besides CIDR

dllud dllud at
Mon Jan 14 06:51:20 CET 2019

Hi everyone,

Would it be possible for wireguard to support ip6tables-like network
masks [1] for the allowed-ips besides CIDR masks?
With CIDR we are limited to variable suffixes. While with network masks
we could have variable prefixes, suffixes or any combination.



Use case (why does it matter to me): I have a client-server setup where
I would like to allow the client peers to choose any IPv6 they wish as
long as they honor a given suffix. Collision are avoided by having an
unique suffix for each client. With CIDR I can only make clients honor a

The long story
On my home network I reserved two IPv6 subnets for Wireguard clients:
- a private one, eg. fdaa:aaaa:aaaa:aabb::/64 (never changes);
- a public one, eg. 2001:aaaa:aaaa:aabb::/64 which is a subnet of the
subnet attributed by my ISP (the positions marked with aa's change
regularly according to the dynamic assigning done by my ISP).

Attributing public IPv6 addresses to the wireguard clients allows them
to reach the Internet through the tunnel with no need for NAT.

Currently, there seems to be no way of dynamically attributing IPs to
clients. (Or is there some kind of DHCPv6 over Wireguard?) Thus, to keep
my Cryptokey Routing Table working properly I have to update it on both
server and clients whenever my ISP attributes me a different subnet
(power outages, router restarts, etc.).
This is easy on the clients, which connect and disconnect regularly. I
just need a small script to connect to the wireguard server, that gets
the current public subnet (from Dynamic DNS) before setting the public
IPv6 for tunnel interface.
Things are nastier on the server side though, which is an OpenWrt
router. I would need a cron/procd job hammering OpenWrt config files
whenever a change is detected.
Network masks would be a much cleaner solution on this setup and
probably many others.

Note: I trust all my client peers (which are just me, on other computers
outside my home network).


Thanks for building wireguard and specially for publishing it as
open-source. You have a great piece of software here. Much appreciated.



More information about the WireGuard mailing list