Confused about AllowedIPs meaning?

John Sager john at sager.me.uk
Wed Jul 29 12:40:00 CEST 2020


So, are you running a RPi at each end as the Wireguard termination point? 
I'm assuming you can't run Wireguard on your border routers. If you could 
the config is easier, and you could if you used OpenWrt on the border 
routers. I'm also assuming that your border routers are wifi access points, 
so all your hosts connect there. So:

1) Give the RPi a static address on its home network, and a default route to 
its own border router. Put a static route in the border router to point to 
the RPi for the network address range at the *other* end. So all hosts 
connected to the border router go to the Internet for everything except the 
other network, which go to the RPi.

2) Put NAT rules in the border routers to point the Wireguard port to the 
RPi at its own end.

3) At RPi A set Wireguard to point to the Internet address & Wireguard port 
for Network B. Set AllowedIPs to the network B range.

4) Mirror (3) at the B end.

HTH John

On 26/07/2020 11:57, Gunnar Niels wrote:
> Hello, I'm new to wireguard and have been experimenting with it in my home lab.
> I'm interesting in using it to join two home networks (192.168.2.0/24 and
> 192.168.4.0/24). They're typical home networks in two physically different
> locations, each with their own gateways to the internet. I'd like for the
> machines on each network to use their default gateway for internet access, but
> configure things so they use a simple linux machine (raspberry pi) to route
> to the other subnet over wireguard is the destination is the opposite subnet.
> 
> One wireguard node is exposed via an endpoint with a dns A record (I'm port
> forwarding to the internal machine). On the other subnet, the rpi node is 
> behind
> NAT and pointed to that endpoint.
> 
> I have been able to get the wireguard nodes to connect and route machines on
> their opposite networks, but I haven't been able to get non-wireguard nodes
> to communicate with non-wireguard nodes across the tunnel. I have a few 
> questions
> I'm trying to clear up:
> 
> * Is it true that there isn't really a notion of a server/client from 
> wireguard's
> perspective, they're really just nodes, and I've applied the semantic 
> designation
> of the node behind the endpoint as a server, and the node behind the NAT as 
> the client?
> 
> * Here's my "server" config on 192.168.2.0/24:
> 
> ===
> 
> [Interface]
> Address = 10.2.0.1/24
> ListenPort = 34777
> PrivateKey = <server_priv_key>
> 
> [Peer]
> PublicKey = <client_pub_key>
> AllowedIPs = 10.2.0.2/32
> 
> ===
> 
> Here's my "client" config on 192.168.4.0/24
> 
> ===
> 
> [Interface]
> Address = 10.2.0.2/24
> PrivateKey = <client_priv_key>
> 
> [Peer]
> PublicKey = <server_pub_key>
> AllowedIPs = 0.0.0.0/0
> Endpoint = <server_host>:34777
> PersistentKeepalive = 15
> 
> ===
> 
> 
> The simplicity of the wireguard config is one of the best features about it,
> but the only thing I'm unclear about here is: exactly what is the "AllowedIPs"
> field configuring? I'm not sure how to configure these fields for my use-case.
> I'm guessing the server configuration is explicitly whitelisting the client,
> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
> I should have my subnets as part of this field, but I'm not sure where because
> I'm not sure exactly what the field represents.
> 
> If someone could elaborate on it and point me in the right direction given my
> objective, that would be much appreciated!
> 
> -GN
> 


More information about the WireGuard mailing list