I think the easiest way to explain this is through an example configuration. Let's say you have this configuration:

[Interface]
PrivateKey = <...>
Address = 10.0.0.1/16

[Peer]
# Peer A
PublicKey = <...> 
AllowedIPs = 10.0.2.0/24

[Peer]
# Peer B
PublicKey = <...>
AllowedIPs = 10.0.3.0/24

What the Address field tells WireGuard is two things:

• What your computer's IP is on the WireGuard interface. This is just the IP address without the subnet mask.

• What IP addresses WireGuard should handle. This is the entire subnet.

For example, with this configuration, if you try to reach 10.0.0.1, you will reach yourself. If you try to reach any IP address within the subnet 10.0.0.1/16 (e.g. 10.0.45.167), then WireGuard decides what to do with it.

But how does WireGuard know what to do with any random IP? This is what the AllowedIPs field is for. It specifies what IP addresses WireGuard should route to a peer.

For example, in the above configuration, if you try to reach any IP address in the subnet 10.0.2.0/24, (e.g. 10.0.2.47) then WireGuard will route it through the tunnel to peer A. Peer A can decide what to do with it - route the packet, only respond if it matches 10.0.2.71, whatever. Similarly, if you try to reach any IP address in the subnet 10.0.3.0/24, then your packet will be sent to peer B.

So how does this apply to you? You want to have a controlling 'router' with two peers connected to it, using the 10.80.0.0/16 subnet. Let's start with the router configuration (I'm leaving out everything except the IP address configurations):

[Interface]
Address = 10.80.0.1/16

[Peer]
# Computer A
AllowedIPs = 10.80.0.2/32

[Peer]
# Computer B
AllowedIPs = 10.80.0.3/32

What does this mean? The Address field specifies that your WireGuard network is within the 10.80.0.0/16 subnet, and the router has the IP address of 10.80.0.1. The AllowedIPs fields mean that when you send a packet from the router to 10.180.0.2, it will be sent to computer A; and similarly, if you sent a packet from the router to 10.180.0.3, it will be sent to computer B. Those are the only valid IP addresses, since we used the /32 subnet.

Now for the computer configurations. Here's Computer A:

[Interface]
Address = 10.80.0.2/16

[Peer]
# Router
AllowedIPs = 10.80.0.1/16
Endpoint = <...>

There's a little bit of ambiguity in your question. You ask that you want the two computers to reach each other, but do not specify whether or not you want to tunnel all traffic from the computers through the router. What this configuration does is only allows the two computers to reach each other, not tunneling any other traffic. If you understand this explanation, you should hopefully be able to specify this - if you don't know, ask!

Again, what this does is that it specifies the computer has the IP address of 10.80.0.2 on the WireGuard network, and the WireGuard network is within the 10.80.0.0/16 subnet. The peer config specifies that all traffic from computer A to the 10.80.0.0/16 subnet goes to the router, which (if you specified the OpenWRT configuration correctly) should then be routed to anywhere the router can reach, including 10.80.0.3 (computer B).

Similarly, here is Computer B's configuration. If you understand so far, you should (hopefully) be able to figure this out without needing to see this:

[Interface]
Address = 10.80.0.3/16

[Peer]
# Router
AllowedIPs = 10.80.0.1/16
Endpoint = <...>

It follows the same logic as Computer A, but with a different source IP.

To give an example, here is what a packet from computer A addressed to 10.80.0.3 should do:

1. The packet's target IP address is within the WireGuard network (10.80.0.3 is within 10.80.0.0/16), so WireGuard checks the AllowedIPs fields and finds that the router matches (10.80.0.3 is within 10.80.0.0/16). It then forwards the packet through the tunnel to the router.

2. The router receives a packet through the tunnel from computer A. It checks its source IP address, 10.80.0.2, which matches computer A's AllowedIPs (10.80.0.2 is within 10.80.0.2/32), so it allows the packet through. The router then checks the packet's target IP address, 10.80.0.3, which matches the WireGuard network (10.80.0.3 is within 10.80.0.0/16), so it asks WireGuard. WireGuard takes a look at the AllowedIPs fields and sees that computer B matches (10.80.0.3 is within 10.80.0.3/32). The router then routes the packet through the tunnel to computer B.

3. Computer B receives a packet through the tunnel from the router. It checks the source IP address, 10.80.0.2, which matches the router's AllowedIPs (10.80.0.2 is within 10.80.0.0/16), and allows it through. Computer B then does whatever it wants with the packet.

I don't know why I typed this much, but hopefully you get it now.

It specifies what IP addresses WireGuard should route to a peer.

No, "AllowedIPs" specifies what source IP address will be accepted FROM a peer.

The routing table determines what will be sent TO a peer.

This is very helpful. currently however computers A and B both can ping their own ip, and the router's ip, but not each others ip.

explanation is helpful thx!

I'm not great at diagrams, but there is an attempt in the edit.

Wireguard is just going to be configured by the client, in the AllowedIPs is where you set wireguard to go. So if the other computer is 192.168.2.3 then add 192.168.1.3/32 to AllowedIPs then it is up to you to work with your firewall to allow this to happen from wireguard.

ok thanks, what does Allowed IPs do on the server? can I leave it blank?