OpenBSD Mail Box: Re: wireguard multiple peers problem: information ignored

On Thu, Sep 25, 2025 at 04:32:58PM +0200, Rudolf Sykora wrote:
> Dear list,
>
>
> I am trying to set up a wireguard interface for 2 peers and I do not
> understand why, although I specify AllowedIPs for both, it gets ignored
> for the 1st:
>
> odin# cat /etc/wireguard/wg0.conf
> [Interface]
> PrivateKey = XXXXXX (removed)
> ListenPort = 51820
>
> [Peer]
> PublicKey = LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> AllowedIPs = 192.168.23.0/24
>
> [Peer]
> PublicKey = Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> AllowedIPs = 192.168.23.0/24
>
> odin# cat /etc/hostname.wg0
> inet 192.168.23.1 255.255.255.0 NONE
> up
>
> !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
>
> odin# sh /etc/netstart wg0
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: (none)
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: 192.168.23.0/24
>
> So there are no allowed ips for the 1st peer.
> Furthermore, if I try:
>
> odin# ifconfig wg0 wgpeer LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= wgaip 192.168.23.0/24
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: 192.168.23.0/24
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: (none)
>
> So the 1st now has it while the second does not. Finally:
>
> odin# ifconfig wg0 wgpeer Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= wgaip 192.168.23.0/24
> odin# wg
> interface: wg0
> public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A=
> private key: (hidden)
> listening port: 51820
>
> peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM=
> allowed ips: (none)
>
> peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8=
> allowed ips: 192.168.23.0/24
> odin#
>
> As if only one peer can have the given allowed ips range,
> while I would understand that it should be possible to set
> it for both peers...

It makes sense if you think of AllowedIPs as routing rules: if this
machine has to route a packet to 192.168.23.4, it will sent it out to
which peer? It can't be to both. So you need a specific network
segment per peer.

Assign a specific address to each client (using /32 netmasks), and make
it the sole AllowedIP on the odin side.

>
> Can somebody give me some hint about what I am doing wrong,
> please?
>
> (I am also puzzled by the fact that some people only use
> ifconfig together with wireguard-related wgpkey, wgpeer
> etc., while others use wg setconf; I hope both ways should
> be ok...)

The ifconfig way uses the kernel's native support for wireguard.
The wg binary is a part of the wireguard-tools package, which is not
strictly required, since there is kernel support for wireguard. I'd go
with the latter.

>
>
> Thanks a lot!
> Ruda
>

--

OpenBSD Mail Box

Friday, September 26, 2025

Re: wireguard multiple peers problem: information ignored

No comments:

Post a Comment