Client can access extra IPs by modifying AllowedIPs even when not intended

[rohan-sirohi-spraxa]

Hi everyone,

I want to understand if this behavior is expected in WireGuard / wg-easy or if I’m missing something.

Example scenario

On my WireGuard server, I have access to multiple IPs/services:

• 212.168.13.14
• 78.78.78.78
• 38.38.38.38

What I want

When creating a VPN profile for a specific client, I want to restrict the client so that it can access only one IP, for example:

• 212.168.13.14

And nothing else, even if:

• The server itself has access to other IPs
• The client tries to modify their own WireGuard config

What I configured

• On the server side (wg-easy), I set the client AllowedIPs to:

  212.168.13.14/32
  

• On the client WireGuard config, AllowedIPs is also:

  212.168.13.14/32
  

With this setup, everything works correctly.

The problem

If the client edits their own WireGuard config and adds:

78.78.78.78/32
38.38.38.38/32

Then:

• The client can access those IPs successfully
• Even though I never intended to allow them
• And even though I only configured 212.168.13.14 for that client

Expected behavior (from my side)

I expected that:

• Client-side AllowedIPs should not grant access on their own
• Any IP should work only if it is explicitly allowed on the server side
• Client should not be able to expand access by modifying their local config

Questions

1. Is this the expected WireGuard behavior?

2. Does wg-easy not enforce per-client IP restrictions on the server side?

3. Is there any way to force server-side enforcement, so that:

   • A client cannot access 78.78.78.78 or 38.38.38.38
   • Unless I explicitly allow those IPs for that client on the server

4. If this is not possible today, should this be considered a feature request?

Version I am using : WireGuard Easy (v15.1.0)

Thanks in advance for any clarification or best practices.

[kaaax0815]

The tooltips for Allowed IPs: "Which IPs will be routed through the VPN"
The tooltip for Server Allowed IPs: "Which IPs the server will route to the client"

The naming doesn't have anything to do with actually enforcing said IPs, its not a allowlist in the traditional sense.
This is simply the terminology chosen by WireGuard.

This is also mentioned in the docs: https://wg-easy.github.io/wg-easy/v15.1/guides/clients/#allowed-ips

This could be fixed in a PR that modifies the Firewall to enforce it (see #2238, which is not merged because of code quality)

[rohan-sirohi-spraxa]

Thanks for linking the PR and clarifying.

I understand now that AllowedIPs in WireGuard is strictly a routing concept, not an access-control mechanism, and wg-easy currently does not enforce per-client restrictions at the firewall level.

After reviewing #2238 and the comments, I agree that:

• This should be opt-in
• The current implementation details need rework
• Port-based AllowedIPs is debatable

That said, I think the core problem is real: many admins assume “Allowed IPs per client” implies restriction, and the ability for a client to expand access locally is unintuitive from a security standpoint.

Even if this PR isn’t mergeable as-is, some combination of:

• clearer UI/docs warnings, or
• an optional firewall-enforced mode in the future

would help avoid this confusion.

Thanks again for the explanation and for maintaining the project .

[kubakubakuba]

What is the proper way to facitilate this feature? Do I set the hooks on the server interface, to block/allow traffic manually?

I agree with @rohan-sirohi that it would be a nice feature to have some form of "enforcing" allowed connections in a quick and easy way, instead of manually configuring the interface every time (while the config/hooks only get longer with every added client that needs special configuration).