WireGuard's AllowedIPs aren't always the (WireGuard) routes you want

January 5, 2025

A while back I wrote about understanding WireGuard's AllowedIPs, and also recently I wrote about how different sorts of WireGuard setups have different difficulties, where one of the challenges for some setups is setting up what you want routed through WireGuard connections. As Ian Z aka nobrowser recently noted in a comment on the first entry, these days many WireGuard related programs (such as wg-quick and NetworkManager) will automatically set routes for you based on AllowedIPs. Much of the time this will work fine, but there are situations where adding routes for all AllowedIPs ranges isn't what you want.

WireGuard's AllowedIPs setting for a particular peer controls two things at once: what (inside-WireGuard) source IP addresses you will accept from the peer, and what destination addresses WireGuard will send to that peer if the packet is sent to that WireGuard interface. However, it's the routing table that controls what destination addresses are sent to a particular WireGuard interface (or more likely a combination of IP policy routing rules and some routing table).

If your WireGuard IP address is only reachable from other WireGuard peers, you can sensibly bound your AllowedIPs so that the collection of all of them matches the routing table. This is also more or less doable if some of them are gateways for additional networks; hopefully your network design puts all of those networks under some subnet and the subnet isn't too big. However, if your WireGuard IP can wind up being reached by a broader range of source IPs, or even 'all of the Internet' (as is my case), then your AllowedIPs range is potentially much larger than what you want to always be routed to WireGuard.

A related case is if you have a 'work VPN' WireGuard configuration where you could route all of your traffic through your WireGuard connection but some of the time you only want to route traffic to specific (work) subnets. Unless you like changing AllowedIPs all of the time or constructing two different WireGuard interfaces and only activating the correct one, you'll want an AllowedIPs that accepts everything but some of the time you'll only route specific networks to the WireGuard interface.

(On the other hand, with the state of things in Linux, having two separate WireGuard interfaces might be the easiest way to manage this in NetworkManager or other tools.)

I think that most people's use of WireGuard will probably involve AllowedIPs settings that also work for routing, provided that the tools involve handle the recursive routing problem. These days, NetworkManager handles that for you, although I don't know about wg-quick.

(This is one of the entries that I write partly to work it out in my own head. My own configuration requires a different AllowedIPs than the routes I send through the WireGuard tunnel. I make this work with policy based routing.)


Comments on this page:

By Ian Z aka nobrowser at 2025-01-06 14:54:16:

Excellent points, thank you.

having two separate WireGuard interfaces might be the easiest way to manage this in NetworkManager or other tools

To my distress I found that while nmcli net off will bring down my wg interfaces (integrated with nmcli conn import ) , nmcli net on will not bring them back up. So I ended up adding that to my bodge script to "toggle networking". If anyone knows a clean way to do that automatically, please post it here.

By Sylvain at 2025-01-11 11:26:34:

You can use this WireGuard AllowedIPs calculator to exclude specific IP addresses or ranges.

This may create a big AllowedIPs value if you want the whole Internet except the public IP of your VPN server and private addresses to not go through WireGuard. But I use this and it works well. You don't need the fwmark and ip rule to work.

https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

Written on 05 January 2025.
« There are different sorts of WireGuard setups with different difficulties
The issue with DNF 5 and script output in Fedora 41 »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Sun Jan 5 23:35:10 2025
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.