ASK [wireguard]

nichky · April 13, 2022, 3:14am

when in doing wireguard on my windows computer,
I’m able to reach an ip address even if they are not specifically in to allow address.

config is realy simple, also i have to poitn here that between the MikroTik that works well

/interface wireguard
add listen-port=82 mtu=1420 name=WG1

/interface wireguard peers
add allowed-address=10.0.16.10/32 interface=WG1 public-key=“E/6hJgAA76boQS+q4NjyLd9BXnKjTxxxxxxxxxxxxxxx”

Sob · April 13, 2022, 4:18am

In short, no. Allowed addresses act as both incoming and outgoing filter for what can be on the other side. If it’s not listed, it won’t pass.

nichky · April 13, 2022, 4:37am

well definitely for windows pass, unlike MT to MT

nichky · April 13, 2022, 4:59am

got that, needs to be specifically on the WG-Client (same as OVPN) ,by default is 0.0.0.0/0. It’s makes lot of sense,but i thought that i can manage that from the WG-Server

anav · April 13, 2022, 11:05am

Such misinformation

The cryptokeyrouting on the MT, for example, for local traffic entering the tunnel matches outgoing traffic and selects the appropriate peer. NOT FILTERING.
The cryptokeyrouting on the MT, for example, for remote traffic arriving at the router and with intention to exit the tunnel, is compared to the allowed IP peer list and if matched is allowed through FILTERING.

So technically one is matching/selecting, the other is straight filtering.

If you want to better understand anything Wireguard and specfically Allowed IPs…
https://forum.mikrotik.com/viewtopic.php?t=182340

sindy · April 17, 2022, 10:44am

You can but not by means of Wireguard. allowed-address is compared to the destination address of a packet to be sent to the peer, and to source address of a packet received from a peer. So to “manage that at the WG server”, you have to use firewall rules as usually.

nichky · April 17, 2022, 9:33pm

but between MT, that works very well.Have you noticed that?

Hvala brate

Sob · April 17, 2022, 9:59pm

What exactly works?

One difference between MT and other usual WG clients is that MT has separate allowed addresses and routes. So on MT you can have allowed-address=0.0.0.0/0 (i.e. allow everything), but route only selected subnets you add routes for. Usual WG client would by default automatically add route for whole 0.0.0.0/0 (I think there’s option to not do that).

nichky · April 18, 2022, 12:52am

@Sob

basically i’m saying that allowed-address works only between MikroTik.
For other devices (win/android/ios) i need to do (sindy mentioned) filter rules.

Sob · April 18, 2022, 1:20am

I probably don’t understand what exactly you mean, but again, no, allowed addresses is not anything special in RouterOS, it’s part of WG and works the same everywhere.