Eric Light eric at
Sun Aug 30 01:16:45 CEST 2020

I believe it's both, in a way.

As far as wg is concerned, the AllowedIPs is effectively an ACL.  Any traffic hitting your wireguard interface from an IP not within the AllowedIPs will either be dropped on decryption, or won't even be decrypted.  (It's one of these, but I can't remember which)

On top of that, wg-quick interprets the AllowedIPs string and does other things, such as adding appropriate network routing (the second part of your guess), as well as modifying any client firewall rules to permit the traffic.

Hope this helps  :)


Q: Why is this email five sentences or less?

On Sun, 30 Aug 2020, at 04:07, Aaron Bolton wrote:
> I’m trying to understand AllowedIPs better is it effectively a ACL
> that day what is allowed down the tunnel or is it mechanism to
> configure what addresses get routed down the tunnel?
> Thanks in advance

More information about the WireGuard mailing list