Please explain AllowedIPs

[SharkFourSix]

How does AllowedIPs behave on clients and what are the side effects?

It's not very clear whether the client's behavior overrides the server's behavior in terms of allowing or refusing access to the network/subnet, and or IP address(es) specified in that field.

My understanding is that, even if you assign an IP, say of, 10.0.1.x/32, to a client Peer, it can specify its own IP with a different subnet, allowing it to receive other peers packets.

Is this the case? If so, how can one configure wireguard to only allow peers access the servers internet (pass-through) but without the peers having access to, or knowledge of other peers?

[Gryd3]

@SharkFourSix .
AllowedIPs is set in each [Peer] section within a given configuration.
It's possible to have multiple [Peer] sections, and each section needs to have it's own AllowedIP values that don't conflict with the values in other [Peers] in the same configuration or other configurations on the machine. (Overlaps are allowed, exact copies/conflicts are not)
This is used ONLY on the machine this config exists on, and will be used to install routes in this machine to use the associated [Peer] for any of the IPs listed in the AllowedIPs option. The value of AllowedIPs has no direct influence on any remote machines.*

*A remote machine configured as a [Peer] will receive any traffic you send to it. The traffic sent is dictated by a combination of values in AllowedIPs as well as your local machine's routing table. In this way, perhaps you could argue that AllowedIPs will have an indirect influence on what traffic the remote machine(s) 'see' depending on how the remote machines are configured.
Other configuration items in a remote machine will dictate how traffic is handled. The remote machine may accept traffic only for itself, or it may forward all or limited traffic to other IPs. (But this is outside the scope of Wireguard.)

For more information about how routing tables alter the behavior of your machine, you'll need to do some digging into how routing works for IPv4 or IPv6.

Please note that 'AllowedIPs' is NOT a security option, and should not be used to restrict your users from accessing resources. You will need to use your own firewall / forwarding rules for proper security. (AllowedIPs is easily changed by users)

[SharkFourSix]

Alright thanks.

The last point is what I basically wanted.

Conclusion: Don't use AllowedIPs for traffic access control.

This should be stuck on a big red banner somewhere because the wording feels like it's alluding to that fact.

Then perhaps there needs to be a feature to provide high level packet filtering configuration that can then get passed down to iptables or something, only affecting the WG tunnel devices. It only feels right.

[pirate]

yeah it's not really for "filtering" anything on the application layer, it's more about "what IPs does this node advertize routes for"

[Gryd3]

yeah it's not really for "filtering" anything on the application layer, it's more about "what IPs does this node advertize routes for"

I'd update this response a little.
There's no dynamic routing protocol involved here, so there's no advertisements.
Static route is added for each IP in the AllowedIP which will use the [Peer] as the next-hop/destination.