[6.12.10] Wireguard "AllowedIPs" isnt accepted by the WebUI

Of course it doesnt, you chose "remote access to the server". That only gives you access to the server, nothing else.
Also, youre looking in the wrong section for that^^ since the endpoint that you highlighted gives you the server ips on their respective subnets which you can use to reach it.

it worked like it want, when i manually edited it at the client config.

 

the peer "kvm-isg" can only reach the server, but there are also peers that are allowed to comunicate with: 10.253.3.1 - 10.253.3.30

The your choice of "remote access to server" is the wrong preset. Cause that's clearly not what you want.

okay, the case is:

 

10.253.3.31-10.253.3.100 should be connected to the server, but not see each or other clients on that VPN.

10.253.3.1-10.253.3.31 should be connected to the server and all other VPN clients.

 

so what should be the "right" preset for that case?

i think my choise is right, with the "manually" addition on the "AllowedIPs", or how to handel that?

 

btw, i manually added the "AllowedIPs" on the seeds, after i imported the config and it works like it should.

 

i dont know if i am right, but those "presets" are for the IP tables and WebUI, but it shouldn't remove manually added values. Especally when thoses addition are working.

Edited May 12 by sonic6

For every client thats only supposed to see and talk to the server, remote access to server is right choice.

For every client that supposed to talk to the server and vpn clients, youre looking at a hub and spoke setting.


Granted, that one you would have to modify manually too, since it by default gives a CIDR of /24.

Solving everything you want within 1 single tunnel setup will be a manual endeavor regardless. The GUI cannot help you with that "complex" setup in a easy way. Cause you can just circumvent the "limitations" quite quickly, as noticed yourself. That needs a lot of rules added to properly isolate.

Edited May 12 by Mainfrezzer

1 hour ago, Mainfrezzer said:

For every client thats only supposed to see and talk to the server, remote access to server is right choice.

thats what i did... just with an addtion, that the 10.253.3.0/27 (which are .3.1 till .3.30 is) is also allowed.

 

1 hour ago, Mainfrezzer said:

For every client that supposed to talk to the server and vpn clients, youre looking at a hub and spoke setting.

that is what i choosed for the peer with with ip range from .3.2 till 3.30.

 

my "'report" shoulnd be about a specific or complext setup.

i is about the not applied changes, when i hit the "apply" button.

i am not able to setting up "complex" setups by my own.

10.253.3.0/27 that is not a single point. It is not remote access to a server, thats remote access to a hub. 
10.253.3.1/32 would be remote access to a server.

Of course it would not save your setting. Because its nonsensical in a "remote access to server setting". (it only saves the servers local tunnel ip and real subnet ip, no matter what ip you write in, because the client only needs to know the servers ip.)


Your manual modification is something completely different than what the gui offered.

The GUI is the most basic tool you can use to setup wireguard. It has a few presets and safeguards the user from themselves and ensures basic functionality.

Anything above the basic "point Client to Server" or "point Client to Server Network" requires manual configuation.

If it were a comprehensive advanced tool. Your modification on the client side with allowing 10.253.3.0/27 would have resulted in unreachable.

Edited May 12 by Mainfrezzer

4 hours ago, Mainfrezzer said:

Anything above the basic "point Client to Server" or "point Client to Server Network" requires manual configuation.

Okay, and how can i do manual configuration, without the case, that the guide revert my changes, when hitting "apply" button?