What does WireGuard AllowedIPs actually do?

Wireguard’s allowed_ips field does two different things. Let’s consider the following WireGuard config (generated by the WireguardConfig Site2Site example):

# Name = office1.mydomain.org
PrivateKey = ......
Address =
ListenPort = 19628

# Name = office2.mydomain.org
PublicKey = ...
AllowedIPs =,
PersistentKeepalive = 60

We can see that for the peer office2.mydomain.org the AllowedIPs field is set to,

AllowedIPs does two things:

  • It adds a route to the given networks, i.e. packets addressed to or to will be routed through the WireGuard interface to that peer
  • It will allow packets with the source IPs or to be routed from the given peer on the WireGuard interface

Note especially the second point. Any packet from the given peer with a source IP address which is not listed in AllowedIPs will be discarded! While this does not replace a firewall, it serves a an integral part of Wireguard’s security model.