I don't understand allowed ips.
I want to split tunnel my wireguard so that 2 computers can access eachother through my home router. The home router is a pi running openwrt. The ip range I want to use for wireguard is 10.80.x.x. Below is what my client config looks like. What exactly should I use for the "IP Addresses" field in General Settings on the router? Same question for "Allowed IPs" and "Rout Allower IPs" in the Peers tab? The most frusterating part is that everything worked for a minute until I restarted everything, and now nothing works.
[Interface] PrivateKey = mL7/....
Address = 10.80.0.3/32
[Peer] PublicKey = WRTV....
AllowedIPs = 10.80.0.0/16
Endpoint = aaa.bbb.ccc:1234
Sort by:
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
I think the easiest way to explain this is through an example configuration. Let's say you have this configuration:
What the
Addressfield tells WireGuard is two things:What your computer's IP is on the WireGuard interface. This is just the IP address without the subnet mask.
What IP addresses WireGuard should handle. This is the entire subnet.
For example, with this configuration, if you try to reach
10.0.0.1, you will reach yourself. If you try to reach any IP address within the subnet10.0.0.1/16(e.g.10.0.45.167), then WireGuard decides what to do with it.But how does WireGuard know what to do with any random IP? This is what the
AllowedIPsfield is for. It specifies what IP addresses WireGuard should route to a peer.For example, in the above configuration, if you try to reach any IP address in the subnet
10.0.2.0/24, (e.g.10.0.2.47) then WireGuard will route it through the tunnel to peer A. Peer A can decide what to do with it - route the packet, only respond if it matches10.0.2.71, whatever. Similarly, if you try to reach any IP address in the subnet10.0.3.0/24, then your packet will be sent to peer B.So how does this apply to you? You want to have a controlling 'router' with two peers connected to it, using the 10.80.0.0/16 subnet. Let's start with the router configuration (I'm leaving out everything except the IP address configurations):
What does this mean? The
Addressfield specifies that your WireGuard network is within the 10.80.0.0/16 subnet, and the router has the IP address of 10.80.0.1. TheAllowedIPsfields mean that when you send a packet from the router to 10.180.0.2, it will be sent to computer A; and similarly, if you sent a packet from the router to 10.180.0.3, it will be sent to computer B. Those are the only valid IP addresses, since we used the /32 subnet.Now for the computer configurations. Here's Computer A:
There's a little bit of ambiguity in your question. You ask that you want the two computers to reach each other, but do not specify whether or not you want to tunnel all traffic from the computers through the router. What this configuration does is only allows the two computers to reach each other, not tunneling any other traffic. If you understand this explanation, you should hopefully be able to specify this - if you don't know, ask!
Again, what this does is that it specifies the computer has the IP address of
10.80.0.2on the WireGuard network, and the WireGuard network is within the10.80.0.0/16subnet. The peer config specifies that all traffic from computer A to the10.80.0.0/16subnet goes to the router, which (if you specified the OpenWRT configuration correctly) should then be routed to anywhere the router can reach, including10.80.0.3(computer B).Similarly, here is Computer B's configuration. If you understand so far, you should (hopefully) be able to figure this out without needing to see this:
It follows the same logic as Computer A, but with a different source IP.
To give an example, here is what a packet from computer A addressed to
10.80.0.3should do:The packet's target IP address is within the WireGuard network (
10.80.0.3is within10.80.0.0/16), so WireGuard checks theAllowedIPsfields and finds that the router matches (10.80.0.3is within10.80.0.0/16). It then forwards the packet through the tunnel to the router.The router receives a packet through the tunnel from computer A. It checks its source IP address,
10.80.0.2, which matches computer A'sAllowedIPs(10.80.0.2is within10.80.0.2/32), so it allows the packet through. The router then checks the packet's target IP address,10.80.0.3, which matches the WireGuard network (10.80.0.3is within10.80.0.0/16), so it asks WireGuard. WireGuard takes a look at theAllowedIPsfields and sees that computer B matches (10.80.0.3is within10.80.0.3/32). The router then routes the packet through the tunnel to computer B.Computer B receives a packet through the tunnel from the router. It checks the source IP address,
10.80.0.2, which matches the router'sAllowedIPs(10.80.0.2is within10.80.0.0/16), and allows it through. Computer B then does whatever it wants with the packet.I don't know why I typed this much, but hopefully you get it now.
No, "AllowedIPs" specifies what source IP address will be accepted FROM a peer.
The routing table determines what will be sent TO a peer.
This is very helpful. currently however computers A and B both can ping their own ip, and the router's ip, but not each others ip.
explanation is helpful thx!
I'm having trouble understanding what you wrote.
Can you draw out your end-goal?: https://app.diagrams.net/
I'm not great at diagrams, but there is an attempt in the edit.
Wireguard is just going to be configured by the client, in the
AllowedIPsis where you set wireguard to go. So if the other computer is192.168.2.3then add192.168.1.3/32toAllowedIPsthen it is up to you to work with your firewall to allow this to happen from wireguard.ok thanks, what does Allowed IPs do on the server? can I leave it blank?