What does WireGuard AllowedIPs actually do?

Wireguard’s allowed_ips field does two different things. Let’s consider the following WireGuard config (generated by the WireguardConfig Site2Site example):

# Name = office1.mydomain.org
PrivateKey = ......
Address =
ListenPort = 19628

# Name = office2.mydomain.org
PublicKey = ...
AllowedIPs =,
PersistentKeepalive = 60

We can see that for the peer office2.mydomain.org the AllowedIPs field is set to,

AllowedIPs does two things:

Note especially the second point. Any packet from the given peer with a source IP address which is not listed in AllowedIPs **will be discarded!**While this does not replace a firewall, it serves a an integral part of Wireguard’s security model.