Multiple Wireguard Connections Question

Quick question: Does every simultaneous Wireguard connection need it’s own Wireguard interface?

Right now I have a “Back to Home” VPN Wireguard interface set up with multiple peers and I am stumped with a problem I am seeing.

I have two routers that are with my kids at their apartments. I am unable to have both of them active at the same time. The connection is made between their router and my MikroTik but no traffic gets through on the first one to connect. Only the last router to connect passes traffic.

Yet, I can have one of those routers connected and simultaneously connect using my phone with the Back To Home app.

Everything is using different IPs, different ports, etc.

Or is it really better to have just one peer per Wireguard interface?

Thanks!

It's normally not a problem to have multiple peers connected at the same time on a single (RouterOS) WireGuard interface. But you have to make sure that, in the Peers table in RouterOS, all the peers belonging to the same interface do not have overlapping address ranges listed in allowed-address.

For example, you have the WireGuard interface wg1, attached to it are 3 peers.

• In this config, all 3 peers can simultaneously connect at the same time and everything will work without problems:

  • Peer 1: allowed-address=172.22.10.11/32,192.168.20.0/24
  • Peer 2: allowed-address=172.22.10.12/32,10.33.0.0/16,fd63:2abd:4313:20:a::/80
  • Peer 3: allowed-address=172.22.10.13/32,fd63:2abd:4313:20:d::/80

  Notice that none of the address ranges of the three peers overlap.

• But this config will cause problem:

  • Peer 1: allowed-address=172.22.10.11/24
  • Peer 2: allowed-address=172.22.10.12/24
  • Peer 3: allowed-address=172.22.10.13/24

  Because the 3 ranges are actually the same 172.22.10.0/24.

• This is also not OK:

  • Peer 1: allowed-address=172.22.10.11/32,192.168.20.0/24
  • Peer 2: allowed-address=172.22.10.12/32,10.33.0.0/16,fd63:2abd:4313:20:a::/80
  • Peer 3: allowed-address=0.0.0.0/0,fd63:2abd:4313:20:d::/80

  Peer 3 has 0.0.0.0/0 which overlaps with every IPv4 subnets.

• This will fail if the IPv6 addresses are needed:

  • Peer 2: allowed-address=172.22.10.12/32,10.33.0.0/16,fd63:2abd:4313:20:a::/64
  • Peer 3: allowed-address=0.0.0.0/0,fd63:2abd:4313:20:d::/80

  Because fd63:2abd:4313:20:a::/64 is fd63:2abd:4313:20::/64 and contains fd63:2abd:4313:20:d::/80.

You can run the command

/interface wireguard peers print proplist=name,allowed-address,interface

to quickly have an overview of the allowed-address values. Also please note that if the peers belong to different WG interfaces then overlapping is not an issue.

OK. So you can’t have two peers on the same Wireguard interface with allowed addresses 0.0.0.0/0. Well, that would make sense then as the two peers I am working with have those allowed address spaces. But here’s what I don’t get.

Using the settings configured in my iPhone’s Back to Home App, I have the following (with keys and WAN addresses obscured):

[Interface]
ListenPort = 51820
PrivateKey = CANrdlDlaxxxxxxxxx
Address = 192.168.216.8/32, fc00:0:0:216::8/128
DNS = 192.168.216.1

[Peer]
PublicKey = p1Kxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = hxxxx.vpn.mynetname.net:31731
PersistentKeepalive = 30

So this shows 0.0.0.0/0. So same as my manually configured clients where I set up the peer on the router. But yet in the settings just above (which I can’t change) I show:

image748×1342 96.4 KB

Now the allowed addresses here are different. I’m somewhat confused. Does the Back to Home app somehow set up a bit of a different configuration where you can have overlapping ranges?

Your command shows that as far as the router is concerned, the only allowed addresses for this connection are:

13  D ;;; back-to-home-vpn iPhone 16 Pro Max
      peer89                           192.168.216.8/32                          back-to-home-vpn                   
                                       fc00:0:0:216::8/128                

Yet, I can access any address/site I want from my phone through the VPN on this peer…So I am confused.

It’s not a problem to set up the peers on their own interfaces. Probably a better thing to do anyhow. I’m just wanting to understand why a connection/peer set up from the Back To Home App can have overlapping IP address ranges with a connection/peer set up on the router.

On the phone, in the WG app, when you create a tunnel, it's equivalent to creating a WG interface in RouterOS. The tunnel on the phone has one [Interface] section, which is like defining the interface.

Then below that you have the peer list. In the app, you can actually add multiple peers to a tunnel, each [Peer] section add a peer to the [Interface].

Now look at the tunnel config on the phone that you pasted. As you can see there is only ONE peer associated with the interface (WG interface on the phone), so it's perfectly fine for that peer to have 0.0.0.0/0 in AllowedIPs (equivalent to allowed-address when defining peer in RouterOS).

But if on that phone, under that tunnel, you try to add another peer to another WG server, then you'll see that the 1st peer with 0.0.0.0/0 will interfere and you will have trouble accessing the WG server associated with the 2nd peer (on the phone).

So if you want to connect to another WG server from your phone, you'll need to create a separate tunnel (a separate WG interface) on the phone, and cannot share one [Interface] section with two [Peer] sections if one peer has 0.0.0.0/0.

But it's perfectly fine to have two [Peer] section on the same tunnel on the phone with two different Endpoints pointing to two different WG servers, if their AllowedIPs don't overlap. Like one with AllowedIPs=192.168.216.0/24,192.168.88.0/24 and one with AllowedIPs=192.168.20.0/24 for example.

On the RouterOS router, the peer are correct, using /32 for IPv4 and /128 for IPv6, so they will not interfere with other BTH peers, and you can have multiple remote clients connect back to home using BTH (if they have different IP addresses assigned).

Ah. I see. So basically when using the app on the phone, I’m setting up things in reverse of when I set them up in the router. Do I understand that correctly?

They should be differents . The WG app on the phone is just like WG on the router, you define one interface (so it's called on the router) / tunnel (so it's called on the phone), which specify the port where WG listens on the device, plus the key pair of the device for that tunnel.

When defining this, you also specify the WG IP address of the device in the tunnel. On the phone the [Interface] section contains this information in Address. In RouterOS, you set this address by assigning the address to the interface under /ip address.

Then on each device, you can associate/define multiple peers with this newly created WG interface (tunnel). What important here is that the information you put in each [Peer] is actually made from the information of the remote site. So if you add a peer to connect to the router on the phone, then the [Peer] section on the phone has the public key that the router has on its WG interface. And when you add the peer for the phone on the router, then the public key specified is the keys coming from the [Interface] section on the phone (public key is derived from private key).

Same with the IP addresses, normally, if you only need peer-to-peer connection, then in allowed-address of the peer definition in RouterOS you put what addresses were listed under [Interface] -> Address on the phone. And on the phone, under [Peer] -> AllowedIPs you can just put the address assigned under /ip address on the router to the back-to-home-vpn on the router. Exactly this:

But that's so if you only need peer-to-peer connection. But WG allows you to route more address ranges through the tunnel. So under each [Peer] section, you can extend the address list and add more ranges that you also want to use the tunnel to connect to. Because on the phone you also want to use the tunnel to use the Router back home as relay to go to the whole internet, you put 0.0.0.0/0 in AllowedIPs there, and for every IPv4 destination address, the tunnel will be used and that specific peer is used as relay gateway.

But on the router running RouterOS, normally you only want to talk to the phone using the tunnel, that's why you only need to have the exact IP address of the phone in the tunnel listed in allowed-address, it makes no sense to put 0.0.0.0/0 there, because you don't need the router to go to the internet through the phone.

Sometimes, on the phone you only need to use the router's tunnel for LAN access, not internet access, in that case, don't put 0.0.0.0/0 in AllowedIPs, but only the /32 tunnel address of the router, plus any LAN subnets you need to access to, like 192.168.88.0/24.

Which routers? They have wireguard settings in the router?
What are the user requirements for the back to home connections.
a. for admin (your iphone), config router, access home lan, access kids routers for config, access kids routers LAN, access home WAN?
b. for kids routers, access home lan, access home WAN??

WIthout knowing those details, impossible to provide useful advice.
Also, its not true that both routers cannot have 0.0.0.0./0 set up at their end.
At the back to home device one has to ensure, that each clients allowed address settings is specific to AT least the IP address assigned to the remote device, and should if needed include any subnets that need to be reached if someone is attempting to reach a remote subnet AND/OR indicate any remote subnets coming into the lan of the home router.

Thus it would be useful to see the config of the home router
/export file=anynameyouwish (minus router serial#, any public WANIP information, keys)
Also to see the relevant wireguard settings of the remote two routers ( minus keys and any public WANIP information).

I havent used BTH lately, but willing to fire it up to mimic what you are attemting. Easy to do with 'normal wireguard' harder with BTH.

Also do any of the three locations have a public IP (either directly from an ISP modem, or have an accessible public IP on the attached ISP router (and assuming you can forward ports on this device to one of the routers) or all get private IPs ???

So maybe there’s some misunderstanding on my part of how Wireguard configurations are made. In my mind VPNs have a Server - Client relationship where the MikroTik router would be the server and whatever is connecting to it would be the client. But perhaps that’s not the case from what it sounds like.

I am going to attempt to answer both @CGGXANNX and @anav’s comments/questions here.

So the routers that I have set up with my kids are the GL.iNet GL-SFT1200. While this is a cheap router, it runs DD-WRT which is a solid router OS. I picked this router originally for my one kid as her apartment only has an open WiFi network (no idea if they have client isolation or what for security) and we wanted a router that would act as a WiFi repeater and put her behind a more secure network. The bonus on this router was that it has a Wireguard “client” feature as well. Then when my other kid got an apartment, I wanted to set up the same thing and that’s when my troubles started…

So here’s the relevent parts of the config file:

/interface wireguard
add listen-port=13234 mtu=1420 name="Aliyah VPN Interface"
add listen-port=13235 mtu=1420 name="Keira VPN Interface"
....
add comment=back-to-home-vpn listen-port=31731 mtu=1420 name=back-to-home-vpn
...
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.216.252/32 client-dns=\
    192.168.216.1 client-endpoint=hhxxx.vpn.mynetname.net \
    client-keepalive=30s comment="Aliyah Connection to home" interface=\
    "Aliyah VPN Interface" name="Aliyah VPN " persistent-keepalive=30s \
    preshared-key="xxxxx=" private-key=\
    "zzzzzzz" public-key=\
    "zzzzz" responder=yes
add allowed-address=0.0.0.0/0 client-address=192.168.216.251/32 client-dns=\
    192.168.216.1 client-endpoint=hhxxxxx.vpn.mynetname.net \
    client-keepalive=30s comment="Keira Connection to home" interface=\
    "Keira VPN Interface" name="Keira VPN" persistent-keepalive=30s \
    preshared-key="xxxxxxx" private-key=\
    "xxxxxxx" public-key=\
    "xxxxxxx" responder=yes
.....
add allowed-address=192.168.0.0/23,10.0.0.0/8,192.168.216.4/32 \
    client-address=192.168.216.4/32 client-dns=192.168.216.1 client-endpoint=\
    hhxxxxx.vpn.mynetname.net client-keepalive=30s comment="VPN Laptop" \
    interface=back-to-home-vpn name="VPN Laptop" persistent-keepalive=30s \
    preshared-key="xxxxx" private-key=\
    "xxxxxx" public-key=\
    "xxxxx" responder=yes
.....
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment=iPhone17,2 name=RB5009UG+S+ private-key=\
    "xxxxxxxx" public-key=\
    "xxxxxxxx="
add allow-lan=yes name="RB5009UG+S+ iPhone12" private-key=\
    "xxxxxxx" public-key=\
    "xxxxxxx"
add allow-lan=yes name=Test private-key=\
    "xxxxxxx" public-key=\
    "xxxxxx"
add allow-lan=yes name="Travel Router" private-key=\
    "xxxxxx" public-key=\
    "xxxxxx"
add allow-lan=yes comment="Samsung VPN" name="Galaxy Tab A9+" private-key=\
    "xxxxxxxx" public-key=\
    "xxxxxxx"
add allow-lan=yes comment=test2 name="Galaxy Tab A9+" private-key=\
    "xxxxxxx" public-key=\
    "xxxxxx"
add allow-lan=yes comment=Jon_iPhone_full name="iPhone 16 Pro Max" \
    private-key="xxxxxx" public-key=\
    "xxxxx"
.......

The …. are where I cut lines from the file that aren’t related. So here’s something I just noticed that I’m trying to understand. As you can see, I have an item with the comment “Samsung VPN” and name “Galaxy Tab A9+” - Now, nowhere in the config file is the IP address and peer name of that device which shows up in Winbox:

image938×1350 102 KB

So the config text looks like:

image756×584 45.9 KB

So is the “interface” the tablet then? Why would it have a “listen” port since it is not listening to anything? And so since the IP address 192.168.216.6 is not stored anywhere in my config file, is the MikroTik getting the address then from the tablet? Does the MikroTik even care to know in advance what the information about the “interface”?

When setting up the config for the router for my kids, do I need to enter both interface and peer information?

I guess I’m just not completely understanding Wireguard…

You are indeed not fully aware of the nuances of wireguard. Let’s try to help with that!

Wireguard is indeed a bit strange in that by default the two connecting parties are equals, i.e. peers. In many (most?) situations this only serves to confuse people, because one you’ve decided who will dial and who will respond, this distinction is sort of meaningless. The server side won’t have the endpoint set (it will respond to anyone presenting the correct credentials) and has responder=yes set (it will only respond, not reach out on its own.) The client in turn had keepalive configured, which means that it will attempt the connection and will try to keep it alive with periodic messages.

The next part is the allowed ips. This value actually server two purposes: one is literally what source addresses are expected and allowed on incoming packets from that peer. The other is a bit more subtle: it specifies which destination ips should be routed towards that peer.

In light of this it is totally logical that the setup is asymmetric: the client allows all ips, because any host’s traffic may be correctly tunneled through the server. The server on the other hand expects only a single address to speak to it from the client side, hence the usual /32 address. (In more complicated setups the client’s entire subnet, e.g. a /24, may be routed instead of the /32)

And thus comes about the answer to your original question: it is fully usual to attach many peers to the same interface. Problems obviously come about is the allowed ips overlap, because - as discussed - this also supplies the routing information, which can’t be contradictory.

Thank you.

But if I set up a connection from the MikroTik, what do I need to use for “allowed addresses”? Is that the allowed addresses for incoming packets from the Peer? I want the Peers to be able to access the entire internet through the MikroTik. So obviously, on the Peer side, the addresses need to be 0.0.0.0/0 but what about on the MikroTik side? Is the allowed address only the assigned VPN IP of the remote peer?

This is where I am confused…

OK. So just looked at setting up a dummy connection. If I set up the peer on the MikroTik, no matter what I enter for allowed addresses, the remote peer, always has 0.0.0.0/0 as allowed addresses. So if I want to restrict a remote peer so that it only accesses my LAN over the VPN, I need to set that up in the config on the remote side and NOT on the MIkroTik.

So in my mind then on the MIkroTik side, the only “allowed addresses” for an incoming VPN would be that of the peer on the other side. Yes?

On the server:

• One wg interface, multiple peers
• Peers have allowed ips as /32
• /Ip/addr is assigned as a /24 on the interface

On the clients:

• Allowed ip as 0.0.0.0/0
• Address assigned on interface as /24
• Masquerade

As @lurker888 wrote, with WG the peers are equals. You only choose the router to be "server" because it has a public reachable IP address that accepts incoming connection on the WG UDP port, but inside the tunnel, all the devices are peers.

• On each device (router, phone, tablet, laptop, etc...), in the [Interface] section you define the peer that is the device itself. You include ListenPort because when the WG app or kernel process runs it need a port to create an UDP socket on the device to send and receive UDP packets. Here you also specify the "Address" which is the IP address in the tunnel that the device choose for itself.

  In your screenshot, BTH generated the client config text file where it put Address = 192.168.216.6/32, fc00:0:0:216::6/128, so when you import that file into the WG app on the tablet, the app will choose the 192.168.216.6 and fc00:0:0:216::6 as its IPv4 and IPv6 address inside this WG tunnel network. When the tablet make a new connection and send things into the tunnel, it will choose either of those IP addresses as source for the IPv4 and IPv6 packets.

• The config also has one [Peer], that says AllowedIPs = 0.0.0.0/0, ::/0. This is a hint that when this particular tunnel is active, for all IPv4 and IPv6 destinations, this specific peer should be used to send those packets to. And this peer has this specific public key for identification, and if there is no actively running WG tunnel to this peer yet, then the address and port information listed under Endpoint can be used to send the initial WG handshake too. The "yet" here is important. Because WG has support for roaming, while a tunnel between two peers is actively "running" both ends (both peers) can roam and have completely different public IP address. The Endpoint information under this peer section is only needed when the device must make the initial handshake to establish the tunnel. If the tunnel is already established, or if the tablet is not the initiator of the first handshake, then no information is even needed to be listed in this Endpoint section.

Side note: As you can see, the router doesn't need to actively initiate WG connection to the tablet, that's why on the Peer on the router, there is nothing listed under Endpoint and Endpoint Port. It's not needed. If the tablet initiates the connection, then WG on the router will see the endpoint (address and port) and will put that information in the read-only Current Endpoint Address and Current Endpoint Port of the screenshot above.

• Now, let's say the tablet has initiate the handshake and establish the WG tunnel between itself and the remote peer which is the router. The tablet now will send all web browser traffic through the tunnel to the peer that is the router, because it has AllowedIPs = 0.0.0.0/0, ::/0 listed under this [Peer]. These packet all have 192.168.216.6 (or fc00:0:0:216::6 if IPv6) as source address, because it's the address of the tablet on its WG interface (defined under [Interface]).

  The packets go through the tunnel and arrive at the router. Due to the public key of the remote peer (the tablet) WG on the router can associate these packets with the peer with the comment "back-to-home-vpn Galaxy Tab A9+". Now it will check the source address of the packets with the allowed-address list of the peer. As you can see, this field has the value 192.168.216.6/32,fc00:0:0:216::6/128. Which means the packet that the tablet sent will pass this check (because they have the source in the listed range) and will be accepted. The packets will also have in-interface as back-to-home-vpn on the router.

  But if that allowed-address field didn't contain a range that can match the source address of the packets, then the packets will be dropped!

• Now the router will further process the packets. Next there will be responses to those packets, the response will now have the 192.168.216.6 or fc00:0:0:216::6/128 as destination address. In the routing table on the router, the responsible gateway for those destination is the back-to-home-vpn WireGuard interface. Which means the response packets will be handled by WG.

  WG responsible for the back-to-home-vpn interface will now need to decide where to send (forward) these response packets. It will now look through the list of its peers, and the first peer that if finds that have subnets in allowed-address that can match the destination address of the packet will be chosen as destination peer. In this case the peer with the comment "back-to-home-vpn Galaxy Tab A9+" has allowed-address that can be used for 192.168.216.6 or fc00:0:0:216::6 and it will be picked up.

Side note: This is why there will be problems if the peers of the same WG interface have overlapping allowed-address ranges. Because the first peer found that has the range that can contain the destination address is picked up, the really intended peer, that also has the matching allowed-address ranges will be skipped, if it sits behind in the peer list. It also appears that the list is in the order of the last modification made to the peers. That's why when there are issue with overlapping allowed-address people on this forum often find out that opening the peer and saving it make it able to have working connection again (because it's moved to the top of the search list).

• So the response packet will be sent through the tunnel to the chosen peer, the tablet device. On that tablet the same verification is made. The source address of the packet is checked against the AllowedIPs subnet lists of the incoming peer, and the packet will only be accepted if it's in one of those subnets. But on your tablet, 0.0.0.0/0, ::/0 is listed here, so any response packets will be accepted. Which is fine, because when you use the table and browse the web through the tunnel, the responses sent back by all those web servers will have source IP addresses from all over the internet, and it makes no sense to put any restrictions here.

If you now edit the tunnel information in the WG app, and change ListenPort to something else for example, then there will be no issue at all, this only affects the port that the WG app on the tablet uses to create the UDP socket.

But if you edit the tunnel and change to Address = 10.20.30.40/32, or Address = 192.168.216.7/32, then there will be problems. Because while the tunnel can be established (handshake only needs the keys to match), the tablet will now send packets with source 10.20.30.40 or 192.168.216.7 respectively, and when they arrive at the router, they will not pass the allowed-address check and will be dropped.

And if you decide to change the PrivateKey under [Interface] on the tablet, then now even the handshake cannot be established, because the new key no longer matches the public key stored on the router for this tablet peer.

Same if on the tablet you edit the [Peer] section and change the PublicKey. If this value doesn't match the value of the router's back-to-home-vpn interface, then handshake will also fail.

And of course, if you edit Endpoint and give wrong address/domain/port, then the table will not be able to initiate the handshake to the router if the tunnel is not already actively running.

Also, please note that in the WG Peer settings on RouterOS, all the fields that start with "Client XXX" are not relevant to the working of the tunnel and the peers. They can actually contain garbage data or stay empty if you wish. But they have a use:

The information from those field will be used to generate the QR-Code as well as the textual config that you see under "Client Config" in WinBox. But it's only to assist you when you want to quickly import and setup the matching tunnel on the external devices. Which means although they can contain garbage, you should keep the value 'in-sync' with the other important values above in the dialog. From the screenshot, you can see "Client Address" (which will be output as the [Interface] -> Address section of the file) should be something that the "Allowed Address" field above in the dialog will be able to match with its listed subnets.

I think this should be /32 if it's meant to be put in the Address = line of the [Interface] section of the WG config.

Unless the "client" is another RouterOS device, then setting the address is done by adding entry to /ip address, then yes, you set the prefix length /24 for the automatically added route. But technically, the assigned address is still only an /32 address.

Of course you are totally correct that it would work the same with a /32 address.

However, wireguard interfaces include additional internal routing (as in distinct from that normally done by the networking stack) and so on-link domains make sense for them. They are different than usual ppp interfaces, as are the interfaces presented by the official OpenVPN and ppp-accel for that matter.

Whether constructing them this way was a good idea or not can be debated, but os vendors have apparently given up and accepted this.

I dont care to speculate when the configs of all three devices have not been shared.
a. if MT
/export file=anynameyouwish (minus router serial#, any public WANIP information, keys, dhcp lease lists)

b. if not MT, then the relevant wireguard settings with same caveats as in a.

OK. This is all great and I am very close to having an understanding but… I’m still a little bit confused on the allowed addresses thing.

Right now, I am remote and connected to my VPN through my laptop. The Wireguard client on my laptop has the following settings for the connection:

[Interface]

PrivateKey = xxxxxx

ListenPort = 51820

Address = 192.168.216.4/32

DNS = 192.168.216.1

[Peer]

PublicKey =xxxxxx

PresharedKey = xxxxx

AllowedIPs = 192.168.0.0/23, 10.0.0.0/8, 192.168.216.1/32

Endpoint = hhd0a7x17ha.vpn.mynetname.net:31731

PersistentKeepalive = 30

So the interface in this case is the interface on my laptop. Yes? And the Peer - is the peer the laptop or is it the WG? Because if I edit those allowed IPs and say take out the 10.0.0.0/8 entry, I can’t access any of the devices on my 10.0.0.0 network. So the way I am seeing it, this setting on the laptop is important as it says what addresses go through the tunnel to the Peer (in this case the WG). Correct?

But on the WG, the only allowed address I need to have for this connection is 192.168.216.4/32 - Correct? Because that is the only device communicating through this connection.

Am I understanding this correctly?

Yes, with that section in the config file, the WG client on the laptop opens an UDP socket on the port 51820 of all available network adapters and uses the socket to send / receive WG packets (the outer packets of the tunnel).

The [Peer] listed below that is the information about the WG running on the RouterOS router device. Not the information about the laptop's WG. The laptop's WG informations are already under the [Interface] section.

The [Peer] sections of the config file (there can be multiple, not only one) contains information about the other remote side(s) of the tunnel.

And on the RouterOS router it's similar: You define one WG interface (/interface wireguard add), then you add peers to the interface (/interface wireguard peers add). The peer entries added there also contain information about the remote parties (like the tablet or the laptop), not about the router device.

That's how it is intended to work. On the laptop, when the WG tunnel is active, WG will install routes (if running Windows you can run route print in the command line to see them, for Linux run ip route) in the laptop's routing table, by using the information listed by AllowedIPs of all the [Peer] sections of the active WG tunnel. In the example config above, there will be routes installed for destinations 192.168.0.0/23, 10.0.0.0/8, and 192.168.216.1/32, that have the tunnel network adapter (WG creates this virtual network adapter on the laptop when the tunnel is active) as gateway.

Now when you send something with the destination 10.x.y.z and WG is active, the operating system on the laptop will consult its routing table and see that the packet should be sent using the virtual network adapter created by WG. WG which runs behind this adapter will take the packet see the destination 10.x.y.z and scan the peers of the active WG instance. It will find the peer that has 10.0.0.0/8 that can contain this address. It will use the other information listed under that [Peer] section (Endpoint, PublicKey and PreshareKey) to establish the handshake with that remote party (if the handshake is not already active) and then encrypt and encapsulate the packet that needs to be sent (packet with destination 10.x.y.z) and send to that remote endpoint.

As you can see, this look similar to what I described above when the router needed to send the response packet to the remote A9+ tablet, it also had to use the routing table to know that back-to-home-vpn is the gateway interface, and the WG associated with that interface also needs to scan its peer list to find the suitable peer (the tablet).

So now what happens if you remove 10.0.0.0/8 from the AllowedIPs list of that [Peer] section?

• First, the WG client application will no longer install a route for the destination 10.0.0.0/8 in the laptop's routing table anymore. You can verify this by listing the routes using the command above when the tunnel is actively running.

  Which means when some app/program on the laptop needs to send a packet to destination 10.x.y.z, there is no more route that tells the operating system to use the virtual tunnel network adapter to send the packet. Instead some other matching route, such as the default 0.0.0.0/0 route with some other gateway will be used, and the packet will not be sent using WG.

• Second, even if you've manually manipulated the routing table and add routes, so that packets with destination 10.x.y.z will have the WG tunnel adapter as gateway, when WG needs to process this packet, it will scan the list of peers to find a suitable one to send the 10.x.y.z destination packet too. But now none of the [Peer] have anything in there AllowedIPs ranges that can contain the 10.x.y.z address. WG cannot find a suitable peer, and the packet cannot be sent.

As a result, you on your laptop cannot access any resources on your 10.0.0.0/8 network.

To be more correct, the start of this question should be "But in the WG configuration on the router...". Yes, on the peer definition associated with the laptop on the router, you only need to list 192.168.216.4/32 because:

• The router will use this subnet when checking whether it should accept the packets sent by the laptop or not. The laptop will always set 192.168.216.4 as source address of the packets it sends through the tunnel, so this is fine and fully enough.

• When packets need to be sent to the laptop through the tunnel (including all the response packets to the request that the laptop previously sent), the destination address of the packets will all be 192.168.216.4. So when WG on the router scans the list of peers for a suitable candidate, this peer with allowed-address=192.168.216.4/32 can satisfy the check and will be picked up.

  Of course, if on the router the peer list only has one item, then nothing prevents you to put allowed-address=0.0.0.0/0 for this singular item. And this peer will also be picked when packets need to be sent to 192.168.216.4 and it works too. But if there is more than one peers listed then the peer having allowed-address=0.0.0.0/0 will cause problem, because it might catch all the packets that were intended for the other peers. That's why it's important to not have overlapping address ranges among the peers of the same interface.

And if the WG tunnel is not between the laptop and the RouterOS router (Road Warrior configuration), but between two routers (site-to-site configuration) where you want the LAN behind the two routers to see each other, then having only allowed-address=192.168.216.4/32 will not be enough. Because with that only packet destined to the sole router device can be sent (and received from only that address). If you want to send packets to the LANs behind that router too, then the subnet of those LANs should also be added to the list. This also has the effects that when the devices in those LANs send packets to this side of the tunnel, the packets will have source addresses in those address ranges too, and will be accepted by this side of the tunnel because allowed-address can match those addresses.

Correct. Sorry I meant to say MT or MIkroTik not WG.

OK. All this is starting to make sense now. Thank you for being patient and explaining this. It’s all starting to come together. I think I just was thinking that the interface and client settings needed to be the same on both sides. Now I am seeing that is not the case. I’m also understanding why connections set up (or frankly even touched) by the Back To Home app all show up as Dynamic on the router and can’t be edited.

Here are the basics.......
Allowed Addresses is to identify REMOTE ( repeat ) REMOTE users/subnets etc.
There should never be any local lanIPs or subnets on Allowed Addresses.
On router to router wireguard connections, one also has to ensure there are IP routes for the non-local subnets so the router knows where to send return traffic to/or originating traffic to ( gateway=localwg-interfacename routing-table=main ).

For a client peer such as a laptop or iphone etc, going to a server router for handshake..........
Allowed IPs is typically ONE of two settings.

a. NEED INTERNET --> 0.0.0.0/0 ( which means all IP addresses, and is needed if one intends for that client peer to be allowed out the internet of the router ). Note this includes wireguard ip address and any subnets on the router or any connected routers as well.

b. Do NOT need INTERNET ----> wg ip address,subnetA,subnetB,subnetC
If you dont need internet then you will first and foremost have to identify the wireguard peer (in this case the router, I prefer always to put the wireguard subnet! The reason being if you are connecting to the main wirguard router but want to connect to another connected MT router, then the subnet covers all cases. So best practice when a client peer is to have the wg subnet as the first entry.
After that add any subnets on the server router you need to reach, and even subnets from connected mT routers that you may wish to access.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++