Your config doesn't make sense, but AllowedIPs is probably the one most misunderstood setting in Wireguard so that is understandable.
One of the things it does is set a route, so having two peers with the same subnet on the server side - you are telling the Wireguard server "if I receive a packet destined for 192.168.23.0/24 send it to both peers" which obviously isn't what you want (and won't work). What you more likely want to set in this field is the client's IP /32 so if your Wireguard server is 192.168.23.1 and your peers are .2 and .3, the AllowedIPs field should be set to 192.168.23.2/32 and 192.168.23.3/32 respectively. You can add additional subnets if you intend to route between networks beyond the peer but I suspect this is a "road warrior" setup in which case this will do what you want. Please read the man page for wg(4) section "Allowed IPs" for more. Regards Lloyd rsyk...@disroot.org wrote: > Dear list, > > > I am trying to set up a wireguard interface for 2 peers and I do not > understand why, although I specify AllowedIPs for both, it gets ignored > for the 1st: > > odin# cat /etc/wireguard/wg0.conf > [Interface] > PrivateKey = XXXXXX (removed) > ListenPort = 51820 > > [Peer] > PublicKey = LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > AllowedIPs = 192.168.23.0/24 > > [Peer] > PublicKey = Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > AllowedIPs = 192.168.23.0/24 > > odin# cat /etc/hostname.wg0 > inet 192.168.23.1 255.255.255.0 NONE > up > > !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf > > odin# sh /etc/netstart wg0 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > > So there are no allowed ips for the 1st peer. > Furthermore, if I try: > > odin# ifconfig wg0 wgpeer LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= wgaip > 192.168.23.0/24 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: 192.168.23.0/24 > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: (none) > > So the 1st now has it while the second does not. Finally: > > odin# ifconfig wg0 wgpeer Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= wgaip > 192.168.23.0/24 > odin# wg > interface: wg0 > public key: P4UVRsck8CjEkZUMS14Nphu3hgf7zI2IotJ2sit5U2A= > private key: (hidden) > listening port: 51820 > > peer: LJNRAWz8cUS7sO/8PUlc3erIhJw8dkHr9VaDMu2DDzM= > allowed ips: (none) > > peer: Bevi0lbafrShca6QruEBw0H2DnlWw7XGHWdgJM1mkn8= > allowed ips: 192.168.23.0/24 > odin# > > As if only one peer can have the given allowed ips range, > while I would understand that it should be possible to set > it for both peers... > > Can somebody give me some hint about what I am doing wrong, > please? > > (I am also puzzled by the fact that some people only use > ifconfig together with wireguard-related wgpkey, wgpeer > etc., while others use wg setconf; I hope both ways should > be ok...) > > > Thanks a lot! > Ruda
