Suggestion for WireGuard
Feng Li
lifeng1519 at gmail.com
Thu Sep 2 04:54:21 UTC 2021
I have asked this question some months ago like you,
and don't get my answer, this is a workaround from me
to calculate the AllowedIPs, maybe can help you:
```
#!/usr/bin/python
import ipaddress
def address_exclude(rr, r1):
out = []
for r in rr:
if r1.subnet_of(r):
out += list(r.address_exclude(r1))
else:
out.append(r)
return out
def calc_exclude(includes, excludes):
includes_addr = [ ipaddress.ip_network(i) for i in includes ]
excludes_addr = [ ipaddress.ip_network(e) for e in excludes ]
for e in excludes_addr:
includes_addr = address_exclude(includes_addr, e)
strs = [str(i) for i in includes_addr]
print("AllowedIPs = " + ",".join(strs))
calc_exclude(includes=['0.0.0.0/0'], excludes=['192.168.0.0/16', '10.0.0.0/8'])
```
I have asked this question here too:
https://www.reddit.com/r/WireGuard/comments/m44fi5/enhance_the_allowedips/
On Wed, Sep 1, 2021 at 9:50 PM Kassem Omega <kassemomega at gmail.com> wrote:
>
> Hi,
>
> I sent this before a couple of times to the mailing list but either it
> didn't go through or it is forbidden somehow? I never got any decision
> from the list moderator that it is forbidden to send suggestions at
> all. Hopefully someone can answer with anything.
>
> I was wondering if there is any chance of adding the opposite of
> AllowedIPs option to WireGuard?
>
> Currently, WireGuard has a whitelist option only that specifies which
> IPs to go through it, however I believe adding the blacklist option
> would be beneficial and easier to configure.
>
> The use case: allowing all traffic to go through WireGuard except
> specific ranges.
>
> Right now to do this I must use this long list of ranges to achieve this:
>
> AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
> 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
> 172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10,
> 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9,
> 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
> 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8,
> 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
>
> However, if the DisallowedIPs option is available, I'd simply use:
>
> DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
>
> What do you think?
>
> Thank you.
> Kassem
More information about the WireGuard
mailing list