0

The Wireguard server treats some peers differently:

My vgreen.conf

[Interface]
Address = 172.24.1.1/16
Address = fd80:c245:8495::1/64
SaveConfig = true
ListenPort = 5173
PrivateKey = xxx=

[Peer]
PublicKey = aX+IE2XX9VeGOOrPvg8aYN+E4PJ1DzgcqStjEPuyIAI=
AllowedIPs = 172.24.1.164/32, 172.24.1.0/24

   
[Peer]
PublicKey = J1/ApWyIGHxrniWBtzGt1LSvsgbsmAmtDXX73kJ9kTQ=
AllowedIPs = 172.24.1.201/32, 172.24.1.0/24, 172.24.2.0/24
    
[Peer]
PublicKey = x15h0G9WqUkV671c5Uu8krce5Bcd/ZFy8zT26asCVX4=
AllowedIPs = 172.24.2.114/32, 172.24.1.0/24

== Output of "wg show"

interface: vgreen
  public key: xxxx=
  private key: (hidden)
  listening port: 5173

peer: aX+IE2XX9VeGOOrPvg8aYN+E4PJ1DzgcqStjEPuyIAI=
  endpoint: 10.10.100.164:50160
  allowed ips: 172.24.1.164/32

peer: J1/ApWyIGHxrniWBtzGt1LSvsgbsmAmtDXX73kJ9kTQ=
  endpoint: 10.10.100.201:52308
  allowed ips: (none)
  latest handshake: 18 seconds ago
  transfer: 296 B received, 248 B sent


peer: x15h0G9WqUkV671c5Uu8krce5Bcd/ZFy8zT26asCVX4=
  allowed ips: 172.24.2.114/32, 172.24.1.0/24

Why does the first peer lose one AllowedIPs, the second peer all, and the third none?

Improve this question
6
  • Is this the state of wg show immediately after you start wg?
    – Jaromanda X
    Nov 30 at 22:38
  • 1
    oh, wait, how can you allow outbound traffic to 172.24.1.0/24 out of all 3 peers? Your config is broken, don't know why the other allowedIPs disappear, but a broken config may do odd things
    – Jaromanda X
    Nov 30 at 22:45
  • Thanks Jaromanda for the answer. But what is wrong with 172.24.1.0/24? I want to allow that peers the access to the whole subnet.
    – Hamatoma
    Dec 1 at 8:09
  • Do I have to specify all permitted peers individually?
    – Hamatoma
    Dec 1 at 8:17
  • You've misunderstood the purpose/meaning of AllowedIPs. It merely means that traffics with source IP being one of the listed can come from that peer and traffics with destination IP being one of the listed can go to that peer. If you want to limit the destinations a peer can access (via this peer), you need to use iptables / nftables.
    – Tom Yan
    Dec 1 at 8:38

1 Answer 1

Reset to default
0

The configuration is wrong: I had to remove the subnet addresses.

The permissions to access some peers cannot be given by AllowedIPs, it must be spezified with iptables/nftables (firewall).

Thanks to Tom Yan for the explanation.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .