The Wireguard server treats some peers differently:
My vgreen.conf
[Interface]
Address = 172.24.1.1/16
Address = fd80:c245:8495::1/64
SaveConfig = true
ListenPort = 5173
PrivateKey = xxx=
[Peer]
PublicKey = aX+IE2XX9VeGOOrPvg8aYN+E4PJ1DzgcqStjEPuyIAI=
AllowedIPs = 172.24.1.164/32, 172.24.1.0/24
[Peer]
PublicKey = J1/ApWyIGHxrniWBtzGt1LSvsgbsmAmtDXX73kJ9kTQ=
AllowedIPs = 172.24.1.201/32, 172.24.1.0/24, 172.24.2.0/24
[Peer]
PublicKey = x15h0G9WqUkV671c5Uu8krce5Bcd/ZFy8zT26asCVX4=
AllowedIPs = 172.24.2.114/32, 172.24.1.0/24
== Output of "wg show"
interface: vgreen
public key: xxxx=
private key: (hidden)
listening port: 5173
peer: aX+IE2XX9VeGOOrPvg8aYN+E4PJ1DzgcqStjEPuyIAI=
endpoint: 10.10.100.164:50160
allowed ips: 172.24.1.164/32
peer: J1/ApWyIGHxrniWBtzGt1LSvsgbsmAmtDXX73kJ9kTQ=
endpoint: 10.10.100.201:52308
allowed ips: (none)
latest handshake: 18 seconds ago
transfer: 296 B received, 248 B sent
peer: x15h0G9WqUkV671c5Uu8krce5Bcd/ZFy8zT26asCVX4=
allowed ips: 172.24.2.114/32, 172.24.1.0/24
Why does the first peer lose one AllowedIPs, the second peer all, and the third none?
wg show
immediately after you start wg?172.24.1.0/24
out of all 3 peers? Your config is broken, don't know why the other allowedIPs disappear, but a broken config may do odd thingsAllowedIPs
. It merely means that traffics with source IP being one of the listed can come from that peer and traffics with destination IP being one of the listed can go to that peer. If you want to limit the destinations a peer can access (via this peer), you need to use iptables / nftables.