I had similar questions about AllowedIPs
man wg gives a slightly muddled definition of AllowedIPs
AllowedIPs — a comma-separated list of IP (v4 or v6) addresses
with CIDR masks from which incoming traffic
from this peer is allowed and to which outgoing traffic for
this peer is directed.
The following is my rewriten slightly clearer definition, based on the
information at https://www.wireguard.com/#cryptokey-routing,
AllowedIPs — a comma-separated list of IP (v4 or v6) addresses
with CIDR masks which are allowed as
destination addresses when sending via this peer and are
allowed as source addresses when receiving via this peer.
I hope this helps, and please correct me if any of this is wrong.
On Tue, 28 Jul 2020 at 17:45, Rich Brown <[email protected]> wrote:
>
> I'm new to WireGuard (and not an expert on routing), but here's my
> operational understanding of the definition of AllowedIPs:
>
> ---
> AllowedIPs is the set of addresses that your WireGuard peer will send across
> the tunnel to its peer.
>
> When your computer is about to send a packet out, it compares the destination
> address with WireGuard's list of AllowedIPs. If there's a match, the packet
> goes out the WireGuard tunnel. Otherwise, the packet uses the default routing
> process.
>
> In your case (joining private two networks together), you would list the
> subnet range(s) of the *other* network in *this* peer. If you want to send
> all traffic through the WireGuard tunnel (say, if you're in a coffee shop),
> you can include 0.0.0.0/0 (specifies all IPv4 addresses) and ::/0 (to specify
> all IPv6 addresses).
> ---
>
> I would appreciate having someone else review that definition for
> correctness. (I also have a blog posting that talks about the WireGuard GUI
> on macOS - https://randomneuronsfiring.com/wireguard-on-macos/ Comments are
> welcome there, as well.) Thanks.
>
> Rich
>
> > On Jul 28, 2020, at 5:12 PM, Tomcsanyi, Domonkos <[email protected]> wrote:
> >
> >
> >> 2020. júl. 28. dátummal, 18:02 időpontban Gunnar Niels
> >> <[email protected]> írta:
> >>
> >> Hello, I'm new to wireguard and have been experimenting with it in my
> >> home lab.
> >> I'm interesting in using it to join two home networks (192.168.2.0/24 and
> >> 192.168.4.0/24). They're typical home networks in two physically different
> >> locations, each with their own gateways to the internet. I'd like for the
> >> machines on each network to use their default gateway for internet access,
> >> but
> >> configure things so they use a simple linux machine (raspberry pi) to route
> >> to the other subnet over wireguard is the destination is the opposite
> >> subnet.
> >>
> >> One wireguard node is exposed via an endpoint with a dns A record (I'm port
> >> forwarding to the internal machine). On the other subnet, the rpi node is
> >> behind
> >> NAT and pointed to that endpoint.
> >>
> >> I have been able to get the wireguard nodes to connect and route machines
> >> on
> >> their opposite networks, but I haven't been able to get non-wireguard nodes
> >> to communicate with non-wireguard nodes across the tunnel. I have a few
> >> questions
> >> I'm trying to clear up:
> >>
> >> * Is it true that there isn't really a notion of a server/client from
> >> wireguard's
> >> perspective, they're really just nodes, and I've applied the semantic
> >> designation
> >> of the node behind the endpoint as a server, and the node behind the NAT
> >> as the client?
> >>
> >> * Here's my "server" config on 192.168.2.0/24:
> >>
> >> ===
> >>
> >> [Interface]
> >> Address = 10.2.0.1/24
> >> ListenPort = 34777
> >> PrivateKey = <server_priv_key>
> >>
> >> [Peer]
> >> PublicKey = <client_pub_key>
> >> AllowedIPs = 10.2.0.2/32
> >>
> >> ===
> >>
> >> Here's my "client" config on 192.168.4.0/24
> >>
> >> ===
> >>
> >> [Interface]
> >> Address = 10.2.0.2/24
> >> PrivateKey = <client_priv_key>
> >>
> >> [Peer]
> >> PublicKey = <server_pub_key>
> >> AllowedIPs = 0.0.0.0/0
> >> Endpoint = <server_host>:34777
> >> PersistentKeepalive = 15
> >>
> >> ===
> >>
> >>
> >> The simplicity of the wireguard config is one of the best features about
> >> it,
> >> but the only thing I'm unclear about here is: exactly what is the
> >> "AllowedIPs"
> >> field configuring? I'm not sure how to configure these fields for my
> >> use-case.
> >> I'm guessing the server configuration is explicitly whitelisting the
> >> client,
> >> but I'm not sure what 0.0.0.0/24 on the clientside is saying. It feels like
> >> I should have my subnets as part of this field, but I'm not sure where
> >> because
> >> I'm not sure exactly what the field represents.
> >>
> >> If someone could elaborate on it and point me in the right direction given
> >> my
> >> objective, that would be much appreciated!
> >>
> >> -GN
> >
> >
> > I think mainly you need to decide whether you want to just route the
> > traffic between the two networks or you want to use NAT as well.
> > In case you are just routing then you’d need at minimum the range of the
> > other network, because after decrypting the source IP will be from that
> > range. Otoh if you are using NAT you can just use an arbitrary IP address
> > inbetween the two tunnel endpoints, because the traffic will be modified,
> > just like when you go out to the interner via a router.
> > Also don’t forget to add the respective routes to either the local default
> > gw or each host in case you are not using NAT - otherwise you won’t get any
> > of the answers.
> > I hope this helped.
> >
> > Cheers
> > Domi
>
