1.3 Wiregaurd would not show two peers with allow ips

I have the next setup:
1 VyOS 1.3 and 2 wireguard peers.
The main WG server has the ip
The peers has the ips and
The WG config on the .254 is:

vyos@vyos# show interfaces wireguard wg0 
 peer client2 {
     persistent-keepalive 20
     pubkey TD/hplu0Xo4scK0jrNXPGRaOXw6dicF/6TWuF5bLqTQ=
 peer mullvad {
     persistent-keepalive 10
     pubkey Pookh06aS25jss/zX5aUcnsDtR3qwj30Xnh6F9Gn5hA=
 port 51820
 private-key t_test1

And the summery of the WG interface is:

vyos@vyos# run show interfaces wireguard wg0 summary 
interface: wg0
  public key: y3x54xJY4kuJ8N54CqK5yrNmOLypQxrm1zbwr3KM/GY=
  private key: (hidden)
  listening port: 51820

peer: TD/hplu0Xo4scK0jrNXPGRaOXw6dicF/6TWuF5bLqTQ=
  allowed ips: (none)
  latest handshake: 3 seconds ago
  transfer: 1.28 KiB received, 308 B sent
  persistent keepalive: every 20 seconds

peer: Pookh06aS25jss/zX5aUcnsDtR3qwj30Xnh6F9Gn5hA=
  allowed ips:
  latest handshake: 53 seconds ago
  transfer: 6.57 KiB received, 5.33 KiB sent
  persistent keepalive: every 10 seconds

peer: EiMmRBXdwkEzpDaNOkMieNsu30MXpN3vszdBCWM5VH0=
  allowed ips: (none)
  persistent keepalive: every 10 seconds

As you can see the peers are connected but in the summary there is only one peer that is allowed
Another issue is that despite to the fact that I removed one peer he is still present.

I think this is a bug since on plain Debian and other Linux and routing systems I am able to set this up properly.

In the docu for 1.3 Interface configuration it states:

“You can not assign the same allowed-ips statement to multiple WireGuard peers. This a design decision. For more information please check the WireGuard mailing list.”

Can you really set that up on a Debian?

But: I never set it up like that: I set allowed-ips to on the client so that all traffic is routed through the Wireguard tunnel. And on the server allowed-ips is set the the Wireguard IP of the client (a …/32).

The Remote Access “RoadWarrior” Example does it like that.

I must admit I didn’t understood the allowed-ips to be like that.
I also read the mailing list details and it makes sense that you will have only one route per subnet/cidr to one peer.
But, there is a big difference between routing and ACL.
The allowed-ips is an ACL which allows all IPs to be routed via this tunnel and not to set a route via this tunnel.
The issue is that routes should be setup manually on VyOS and not automatically via the allow-ips (to my opinion).

If I understand right then if I will use the WG tunnel as a GW I need to allow-ips of the specific client ip and the remote network if it’s a S2S.

Thanks for the details!!

That’s how it works right now; it won’t add a route in there. I recommend using multiple tunnels. You can have one for remote access, setup like @patient0 mentioned, and then other tunnels for S2S, which allows you to have “allowed-ips” per tunnel. I run BGP over mine just fine doing it this way.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.