Confused about AllowedIPs meaning?

Gunnar Niels gunnar.s.niels at gmail.com
Sun Jul 26 12:57:32 CEST 2020


Hello, I'm new to wireguard and have been experimenting with it in my home lab.
I'm interesting in using it to join two home networks (192.168.2.0/24 and
192.168.4.0/24). They're typical home networks in two physically different
locations, each with their own gateways to the internet. I'd like for the
machines on each network to use their default gateway for internet access, but
configure things so they use a simple linux machine (raspberry pi) to route
to the other subnet over wireguard is the destination is the opposite subnet.

One wireguard node is exposed via an endpoint with a dns A record (I'm port
forwarding to the internal machine). On the other subnet, the rpi node is behind
NAT and pointed to that endpoint.

I have been able to get the wireguard nodes to connect and route machines on
their opposite networks, but I haven't been able to get non-wireguard nodes
to communicate with non-wireguard nodes across the tunnel. I have a few questions
I'm trying to clear up:

* Is it true that there isn't really a notion of a server/client from wireguard's
perspective, they're really just nodes, and I've applied the semantic designation
of the node behind the endpoint as a server, and the node behind the NAT as the client?

* Here's my "server" config on 192.168.2.0/24:

===

[Interface]
Address = 10.2.0.1/24
ListenPort = 34777
PrivateKey = <server_priv_key>

[Peer]
PublicKey = <client_pub_key>
AllowedIPs = 10.2.0.2/32

===

Here's my "client" config on 192.168.4.0/24

===

[Interface]
Address = 10.2.0.2/24
PrivateKey = <client_priv_key>

[Peer]
PublicKey = <server_pub_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server_host>:34777
PersistentKeepalive = 15

===


The simplicity of the wireguard config is one of the best features about it,
but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
field configuring? I'm not sure how to configure these fields for my use-case.
I'm guessing the server configuration is explicitly whitelisting the client,
but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
I should have my subnets as part of this field, but I'm not sure where because
I'm not sure exactly what the field represents.

If someone could elaborate on it and point me in the right direction given my
objective, that would be much appreciated!

-GN



More information about the WireGuard mailing list