Chris's Wiki :: blog/linux/WireGuardAllowedIPs Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/WireGuardAllowedIPs?atomcommentsDWiki2021-01-17T10:59:37ZRecent comments in Chris's Wiki :: blog/linux/WireGuardAllowedIPs.From 193.219.181.219 on /blog/linux/WireGuardAllowedIPstag:CSpace:blog/linux/WireGuardAllowedIPs:d0b44c74e0ee780e2fe319c37d9530bb82c87353From 193.219.181.219<div class="wikitext"><p>Oh, and even besides debug, the driver does increment rx_err in this case so you can get the RX error counter from <code>ip -s link</code>. There are three checks performed, but the other two seem extremely unlikely to come from a normal peer, so it may be safe to assume rx_err just counts AllowedIPs mismatches.</p>
</div>2021-01-17T10:59:37ZFrom 193.219.181.219 on /blog/linux/WireGuardAllowedIPstag:CSpace:blog/linux/WireGuardAllowedIPs:abfb5bbcd3ff64ead73cf2a5c69706c17e3a250cFrom 193.219.181.219<div class="wikitext"><blockquote><p>I don't know if there's any easy way to see if WireGuard has dropped some incoming packets because they don't match the peer's AllowedIPs.</p>
</blockquote>
<p>This is logged to dmesg at pr_debug level, as soon as you enable it through the kernel's "dynamic debug" system:</p>
<pre>
echo "module wireguard +p" > /sys/kernel/debug/dynamic_debug/control
</pre>
<p>You should then start seeing <code>"Packet has unallowed src IP (%pISc) from peer..."</code> in dmesg. There is also a similar message for outgoing packets, as well as a bunch of other interesting stuff – the ones related to failing handshakes are particularly useful.</p>
</div>2021-01-17T10:51:06Z