0

I know there's a series of CIDRs that I can use to cover all public CIDRs and leave out local CIDRs, but I cannot find this anywhere and I don't recall where I found it a couple of years ago when previously solving this problem.

My goal is to have two configurations of the same Wireguard endpoint:

  • one where ONLY traffic specifically to the Wireguard CIDR is routed through the tunnel;
  • one where ALL traffic to IPs in public CIDRs + traffic to the Wireguard CIDR is routed through the tunnel.

Does anyone have this configuration and can share it?

cmjordan
  • 1
  • 3

1 Answers1

0

Found it in a comment on a Reddit thread.

AllowedIPs needs to have the following list in addition to the CIDR block of your Wireguard configuration. In my case, I've prepended 10.1.0.0/16 to this list.

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32

I also came across this neat CIDR block calculator tool that could have been helpful: https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

cmjordan
  • 1
  • 3
  • Note that `wg-quick` performs a lot of routing settings. If `wg` the lower-level wireguard configuration tool was used (or `Table = off` in `wg-quick`'s config), then this would be a simple routing problem, not a wireguard (actually `wg-quick`) problem. The routing table allows to insert exceptions, while AllowedIPs and WireGuard can't, requiring to do set elements substraction ("all" minus 10.0.0.0/8 minus 172.16.0.0/12 minus 192.168.0.0/16 etc etc. giving what you found). – A.B Sep 17 '22 at 13:44
  • A great point. I should have clarified that I was looking for this to be controlled solely by the configuration on the client side of what traffic is sent through the VPN, with the server putting no restrictions on traffic outbound. – cmjordan Sep 18 '22 at 14:36
  • I don't know that it's universally possible... do you know if you can issue underlying commands to wg in the mobile clients on a per-tunnel basis? – cmjordan Sep 18 '22 at 14:37
  • No idea about this 2nd point, but you should take a look at https://www.wireguard.com/quickstart/ . There are visual examples of what wg-quick does etc. – A.B Sep 18 '22 at 14:50
  • @A.B just had a chance to look at the referenced video. I'm not sure I'm following your alternative suggestion. At first, I thought you were saying to specify the list of public routes directly to `wg` on the server-side. After watching that video, I suspect you may be trying to suggest something else... do you have a suggestion on a modification to the answer or to the question that you think would be good context / alternative to anyone stumbling onto this question with the same or similar goal? – cmjordan Sep 19 '22 at 21:06
  • Separately, I would suspect that these configurations of `AllowedIPs` actually cause the Wireguard clients to issue a series of `wg-quick` commands under the hood when disabling/enabling a tunnel. Maybe that's what you're pointing out? – cmjordan Sep 19 '22 at 21:12
  • The mp4 video shows how to do everything without ever using wg-quick. The animated gif shows how wg-quick uses ip and wg commands to work, as I wrote in my first comment. I was just telling that it's not mandatory to use wg-quick, or if using wg-quick the default behavior (of trying to route everything) can be changed. The exact *routing* settings would have to depend on the current layout. But this would simplify AllowedIPs by just using `0/0` (which can work correctly only with one peer by the way). – A.B Sep 20 '22 at 06:29
  • Okay, thanks. I didn't realize your comment was purely educational and tangential to the question posed. I thought you were trying to propose a better alternative. `wg` and `wg-quick` are not accessible on Wireguard mobile clients (AFAIK) so the only way to achieve this is via `AllowedIPs` filtering to include everything except reserved private network CIDRs. – cmjordan Sep 21 '22 at 13:24
  • A good point indeed. – A.B Sep 21 '22 at 14:02