WireGuard AllowedIPs Calculator

Use the following form when you need to calculate complex AllowedIPs settings for a WireGuard peer, by subtracting the “disallowed” IP address blocks from the “allowed” IP address blocks:


AllowedIPs =

For example, say you wanted to route everything in the 10.0.0.0/8 block of IP addresses through a WireGuard peer — except you also wanted to exclude the smaller 10.0.1.0/24 block from it. In the Allowed IPs field, input 10.0.0.0/8; in the Disallowed IPs field, input 10.0.1.0/24; and click the Calculate button. This is the result you’ll get (which is what you enter into your WireGuard config):

AllowedIPs = 10.0.0.0/24, 10.0.2.0/23, 10.0.4.0/22, 10.0.8.0/21, 10.0.16.0/20, 10.0.32.0/19, 10.0.64.0/18, 10.0.128.0/17, 10.1.0.0/16, 10.2.0.0/15, 10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9

Or as another example, say you wanted to route everything but the standard private, local, or link-scoped IP address blocks through a WireGuard peer. In the Allowed IPs field, input 0.0.0.0/0, ::/0; in the Disallowed IPs field, input 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 240.0.0.0/4, fc00::/7, fe80::/10; and click the Calculate button. This is the result you’ll get:

AllowedIPs = 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/3, 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6, 124.0.0.0/7, 126.0.0.0/8, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/8, 169.0.0.0/9, 169.128.0.0/10, 169.192.0.0/11, 169.224.0.0/12, 169.240.0.0/13, 169.248.0.0/14, 169.252.0.0/15, 169.255.0.0/16, 170.0.0.0/7, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/4, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/9, fec0::/10, ff00::/8

Background

You use the AllowedIPs setting of WireGuard to configure which blocks of IP addresses should be routed through which remote WireGuard peers. If you want to access everything through a peer, configure its AllowedIPs setting to the following:

AllowedIPs = 0.0.0.0/0, ::/0

This indicates to WireGuard that all IPv4 addresses (0.0.0.0/0) and all IPv6 addresses (::/0) should be routed through the peer. Note that you can specify multiple blocks of addresses on the same line, separated by commas, like above; or you can specify them individually on separate lines, like below:

AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

If you want to access just a single block of IP addresses through a WireGuard peer, like say a block of IP addresses at a remote site that range from 192.168.100.0 to 192.168.100.255, you’d set the AllowedIPs for it to the following:

AllowedIPs = 192.168.100.0/24

But what if you want the inverse, where you want everything except a single block (or two or three specific blocks) to be routed through a WireGuard peer? In many cases, you have subtract the exceptions from the block of allowed addresses, and set AllowedIPs to the resulting (often long) list of blocks.

For example, say you want to route all Internet traffic through a WireGuard peer, except that you don’t want to route the traffic of your internal networks through it, which use various subnets within the private-use 10.0.0.0/8 block. To make that happen with the AllowedIPs setting, you’d have to configure the peer with the following AllowedIPs:

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1

That’s the list of blocks you get when you subtract 10.0.0.0/8 from 0.0.0.0/0 — conceptually you might express it like the following:

AllowedIPs = +0.0.0.0/0, -10.0.0.0/8

Or another way of expressing it might be:

AllowedIPs = 0.0.0.0/0
DisallowedIPs = 10.0.0.0/8

A Better Alternative

As you can see, subtracting one block of IP address from another block can result in a painfully long list of blocks to add to the AllowedIPs setting. On some platforms, like mobile phones, you don’t have any other options — but on Linux, you have some powerful routing tools available that can simplify the situation.

In most cases, you can simply add a route to your main routing table to “subtract” a block of IP addresses from those routed via the WireGuard tunnel. And you may even find that the necessary route already exists — in which case you don’t have to do anything at all.

For example, say you want to route everything in the 10.0.0.0/8 block to a WireGuard peer, except for 10.0.1.0/24. Instead of subtracting 10.0.1.0/24 from 10.0.0.0/8 with the above calculator, and setting the peer’s AllowedIPs to the result, just set the peer’s AllowedIPs to the full 10.0.0.0/8 block. Outside of WireGuard, add an explicit route for 10.0.1.0/24 to your main routing table. Because 10.0.1.0/24 has a longer prefix length than 10.0.0.0/8 (/24 vs /8), the Linux routing engine will automatically use the route for 10.0.1.0/24 over the route for 10.0.0.0/8.

In fact, you may find that you have the necessary route for the exceptional block already set up — run the command ip route show table main (or just ip route, which by default lists the routes of your main routing table) on the host to see what (IPv4) routes you have already:

$ ip route show table main
default via 192.168.1.1 dev eth0 proto dhcp metric 1000
10.0.0.0/8 dev wg0 scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.123 metric 100

If do you see a route listed for your exceptional block (10.0.1.0/24 in our example), you won’t have to add anything. If you don’t see it listed, however, you’ll have to add the route yourself. Fortunately, this easy — you just need to know the IP address of the gateway for the block, and the network interface to get there. Often, this will be the same as your default gateway (the line beginning with default in the above listing).

The simplest way to do this is to add the following ip route add and ip route del commands to the PreUp and PostDown scripts in your WireGuard config. To add a route for the 10.0.1.0/24 block with 192.168.1.1 as the gateway using the eth0 interface, add the following PreUp and PostDown settings to the [Interface] section of your WireGuard config:

[Interface]
PrivateKey = ...
PreUp = ip route add 10.0.1.0/24 via 192.168.1.1 dev eth0
PostDown = ip route del 10.0.1.0/24 via 192.168.1.1 dev eth0

[Peer]
PublicKey = ...
AllowedIPs = 10.0.0.0/8

Note that you can have multiple PreUp and PostDown lines in your config (similar to AllowedIPs). Multiple PreUp or PostDown lines are equivalent to a single PreUp or PostDown line joined together by semicolons.

Also note that the ip route commands above apply only to IPv4 addresses — for IPv6 addresses, you have to add the -6 flag (eg ip -6 route show table main).