WireGuard with exclusions to the AllowedIPs

We have configured a GL.iNet GL-AR750S-Ext (Slate) device that uses OpenWRT and configure to use WireGuard for a VPN. The peers are configured as below. I understand the AllowedIPs can have multiple CIDRs. Is there a way to exclude one or more CIDRs/IPs to routed via the WAN to the internet? Perhaps in some networking hooks.

Thanks in advance,

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
EndPoint = wireguard-1.xxxxxxx.com:51820

You can write out the ranges of allowed IPs directly in order to exclude the ones you want. Somewhat annoyingly, there is no option to use a ! or other method to exclude, so you'd have to create all the ranges around the ones you want to exclude.

Alternatively, you can use something like policy based routing to route the excluded IPs according to your needs.

2 Likes

That's not what allowed_ips is for. As each packet comes through the wireguard tunnel, the receiving end compares the packet's source address to its list of allowed IPs and silently drops the packet if it is not allowed. Allowed_ips is a security mechanism, not a routing logic. The routing decision of VPN vs unencrypted wan has to be done at the source side of the tunnel.

2 Likes