On 2025-09-25, Rudolf Sykora <rudolf.sykora@cvut.cz> wrote:
> Dear list,
>
>
> I am trying to set up a wireguard interface for 2 peers and I do not
> understand why, although I specify AllowedIPs for both, it gets ignored
> for the 1st:
>
> odin# cat /etc/wireguard/wg0.conf
> [Interface]
> PrivateKey = XXXXXX (removed)
> ListenPort = 51820
>
> [Peer]
> PublicKey = LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> AllowedIPs = 192.168.23.0/24
>
> [Peer]
> PublicKey = Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> AllowedIPs = 192.168.23.0/24
>
> odin# cat /etc/hostname.wg0
> inet 192.168.23.1 255.255.255.0 NONE
> up
>
> !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
>
> odin# sh /etc/netstart wg0
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: (none)
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: 192.168.23.0/24
>
> So there are no allowed ips for the 1st peer.
> Furthermore, if I try:
>
> odin# ifconfig wg0 wgpeer LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= wgaip 192.168.23.0/24
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: 192.168.23.0/24
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: (none)
>
> So the 1st now has it while the second does not. Finally:
>
> odin# ifconfig wg0 wgpeer Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= wgaip 192.168.23.0/24
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: (none)
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: 192.168.23.0/24
> odin#
>
> As if only one peer can have the given allowed ips range,
> while I would understand that it should be possible to set
> it for both peers...
>
> Can somebody give me some hint about what I am doing wrong,
> please?
Smells like a bug in wireguard-tools perhaps when setting the
allowed ips.
If I configure wgaip on multiple peers via ifconfig, it is setup
correctly as shown by ifconfig, functions correctly, and if I run
"wg" to display the current config, it is displayed correctly
there too.
> (I am also puzzled by the fact that some people only use
> ifconfig together with wireguard-related wgpkey, wgpeer
> etc., while others use wg setconf; I hope both ways should
> be ok...)
Even if fixed, I recommend not using "wg" from wireguard-tools,
it won't work correctly if your installed binaries get out of sync
with changes to the kernel. This is less of a problem with ifconfig
because people usually update ifconfig at the same time they update
the kernel. (At least, updates _are_ available at the same time,
which can take at least a few days for packages).
--
Please keep replies on the mailing list.
No comments:
Post a Comment