Suggestion for WireGuard
lifeng1519 at gmail.com
Thu Sep 2 04:54:21 UTC 2021
I have asked this question some months ago like you,
and don't get my answer, this is a workaround from me
to calculate the AllowedIPs, maybe can help you:
def address_exclude(rr, r1):
out = 
for r in rr:
out += list(r.address_exclude(r1))
def calc_exclude(includes, excludes):
includes_addr = [ ipaddress.ip_network(i) for i in includes ]
excludes_addr = [ ipaddress.ip_network(e) for e in excludes ]
for e in excludes_addr:
includes_addr = address_exclude(includes_addr, e)
strs = [str(i) for i in includes_addr]
print("AllowedIPs = " + ",".join(strs))
calc_exclude(includes=['0.0.0.0/0'], excludes=['192.168.0.0/16', '10.0.0.0/8'])
I have asked this question here too:
On Wed, Sep 1, 2021 at 9:50 PM Kassem Omega <kassemomega at gmail.com> wrote:
> I sent this before a couple of times to the mailing list but either it
> didn't go through or it is forbidden somehow? I never got any decision
> from the list moderator that it is forbidden to send suggestions at
> all. Hopefully someone can answer with anything.
> I was wondering if there is any chance of adding the opposite of
> AllowedIPs option to WireGuard?
> Currently, WireGuard has a whitelist option only that specifies which
> IPs to go through it, however I believe adding the blacklist option
> would be beneficial and easier to configure.
> The use case: allowing all traffic to go through WireGuard except
> specific ranges.
> Right now to do this I must use this long list of ranges to achieve this:
> AllowedIPs = 0.0.0.0/5, 22.214.171.124/7, 126.96.36.199/8, 188.8.131.52/6, 184.108.40.206/4,
> 220.127.116.11/3, 18.104.22.168/2, 22.214.171.124/3, 126.96.36.199/5, 188.8.131.52/6,
> 184.108.40.206/12, 172.16.0.0/24, 220.127.116.11/11, 18.104.22.168/10,
> 22.214.171.124/9, 126.96.36.199/8, 188.8.131.52/7, 184.108.40.206/4, 192.0.0.0/9,
> 220.127.116.11/11, 18.104.22.168/13, 22.214.171.124/16, 126.96.36.199/15,
> 188.8.131.52/14, 184.108.40.206/12, 220.127.116.11/10, 18.104.22.168/8,
> 22.214.171.124/7, 126.96.36.199/6, 188.8.131.52/5, 184.108.40.206/4, 220.127.116.11/32
> However, if the DisallowedIPs option is available, I'd simply use:
> DisallowedIPs = 192.168.0.0/16, 10.0.0.0/8
> What do you think?
> Thank you.
More information about the WireGuard