On 2025-09-25, Rudolf Sykora <[email protected]> wrote: > Dear list, > > > I am trying to set up a wireguard interface for 2 peers and I do not > understand why, although I specify AllowedIPs for both, it gets ignored > for the 1st: > > odin# cat /etc/wireguard/wg0.conf > [Interface] > PrivateKey = XXXXXX (removed) > ListenPort = 51820 > > [Peer] > PublicKey = LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > AllowedIPs = 192.168.23.0/24 > > [Peer] > PublicKey = Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > AllowedIPs = 192.168.23.0/24 > > odin# cat /etc/hostname.wg0 > inet 192.168.23.1 255.255.255.0 NONE > up > > !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf > > odin# sh /etc/netstart wg0 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > > So there are no allowed ips for the 1st peer. > Furthermore, if I try: > > odin# ifconfig wg0 wgpeer LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= wgaip > 192.168.23.0/24 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: 192.168.23.0/24 > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: (none) > > So the 1st now has it while the second does not. Finally: > > odin# ifconfig wg0 wgpeer Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= wgaip > 192.168.23.0/24 > odin# wg > > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > odin# > > As if only one peer can have the given allowed ips range, > while I would understand that it should be possible to set > it for both peers... > > Can somebody give me some hint about what I am doing wrong, > please?
Smells like a bug in wireguard-tools perhaps when setting the allowed ips. If I configure wgaip on multiple peers via ifconfig, it is setup correctly as shown by ifconfig, functions correctly, and if I run "wg" to display the current config, it is displayed correctly there too. > (I am also puzzled by the fact that some people only use > ifconfig together with wireguard-related wgpkey, wgpeer > etc., while others use wg setconf; I hope both ways should > be ok...) Even if fixed, I recommend not using "wg" from wireguard-tools, it won't work correctly if your installed binaries get out of sync with changes to the kernel. This is less of a problem with ifconfig because people usually update ifconfig at the same time they update the kernel. (At least, updates _are_ available at the same time, which can take at least a few days for packages). -- Please keep replies on the mailing list.
