I was reading on setting up Wireguard as a VPN server on the arch wiki. One thing I got confused by was the usage on /24 for the network and /32 for the peers.
Doesn’t this mean that the Peers are on a seperate network as /32 is a host only network? Shouldn’t this be /24 so that it can route to the correct client accordingly?
But on the “client” , it shows the configuration to be
Read up on CIDR notation and subnets. Basically, a /32 is for one IP address, like a specific peer, so that makes sense. The /24 and any other number less than 32 and greater than 0 specifies a range of IP addresses. /24 would allow an ip range from say 10.0.0.0 through 10.0.0.255. A /16 would be 10.0.0.0 through 10.0.255.255.
The notation means different things in different contexts. In Address the notation specifies a single IP address and a subnet mask. In AllowedIPs the notations specifies a group of IP addresses where /32 would be just a single address and /24 would be 256 IP addresses. The addresses in AllowedIPs should not overlap. This setting is used by WireGuard to decide to which peer to send a packet. If, for example, 10.0.0.42 is part of two different AllowedIPs sets, WireGuard would not know to which peer it should send a packet addressed to 10.0.0.42.
Sure you’ve got all understood from the other replies, but the WireGuard documentation on ‘Cryptokey Routing’ explains this specifically in the context of WireGuard and it’s peers. It is well worth reading.
So does assigning a /24 to a peer give the peer the entire network of IP addresses to use? I understand the CIDR notation but not how it works in the context of wireguard. Thanks for the links!
Address: the “/24” is representing the network mask for the network that the interface resides in.
AllowedIPs is not being used as an address assignment, but as a filter. In this context, the filter is limiting the allowed address sources to only one address. Thus the use of /32. Security implications aside, you could use 0.0.0.0/0 here instead and it would work. (Since 0.0.0.0/0 includes the client tunnel assigned IP address.)
Contrary to the OPs assertion that AllowedIP determines who is sent what packets… I think that the routing table determines that. The AllowedIPs only determines if the packet is actually passed once the routing has determined the path.
Think of AllowedIPs as Wireguard’s version of a Cisco Standard ACL. (Minus the ability to filter based on Layer 4, of course.)
/24 specifies a range. 256 different IP addresses in this case. WG is a network application, CIDR works the same pretty much everywhere. If you assigned a peer a range of IP addresses it would usually mean that any device on that subnet range could connect as a peer (client). This is often done when using a switch, so a range of devices can connect with different IPs in the specified range but the settings would just have 10.0.0.0/24 instead of listing each individual possible IP address, 10.0.0.1, 10.0.0.2, 10.0.0.3, etc.
The address can be an IP or a range but typically the peers (clients) are a specific IP, so a /32.