On Thu, Sep 25, 2025 at 04:32:58PM +0200, Rudolf Sykora wrote: > Dear list, > > > I am trying to set up a wireguard interface for 2 peers and I do not > understand why, although I specify AllowedIPs for both, it gets ignored > for the 1st: > > odin# cat /etc/wireguard/wg0.conf > [Interface] > PrivateKey = XXXXXX (removed) > ListenPort = 51820 > > [Peer] > PublicKey = LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > AllowedIPs = 192.168.23.0/24 > > [Peer] > PublicKey = Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > AllowedIPs = 192.168.23.0/24 > > odin# cat /etc/hostname.wg0 > inet 192.168.23.1 255.255.255.0 NONE > up > > !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf > > odin# sh /etc/netstart wg0 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > > So there are no allowed ips for the 1st peer. > Furthermore, if I try: > > odin# ifconfig wg0 wgpeer LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= wgaip > 192.168.23.0/24 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: 192.168.23.0/24 > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: (none) > > So the 1st now has it while the second does not. Finally: > > odin# ifconfig wg0 wgpeer Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= wgaip > 192.168.23.0/24 > odin# wg > > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > odin# > > As if only one peer can have the given allowed ips range, > while I would understand that it should be possible to set > it for both peers...
It makes sense if you think of AllowedIPs as routing rules: if this machine has to route a packet to 192.168.23.4, it will sent it out to which peer? It can't be to both. So you need a specific network segment per peer. Assign a specific address to each client (using /32 netmasks), and make it the sole AllowedIP on the odin side. > > Can somebody give me some hint about what I am doing wrong, > please? > > (I am also puzzled by the fact that some people only use > ifconfig together with wireguard-related wgpkey, wgpeer > etc., while others use wg setconf; I hope both ways should > be ok...) The ifconfig way uses the kernel's native support for wireguard. The wg binary is a part of the wireguard-tools package, which is not strictly required, since there is kernel support for wireguard. I'd go with the latter. > > > Thanks a lot! > Ruda > --
