[BUG] SERVER_ALLOWEDIPS_PEER not working as expected

[bHub]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I saw this report, that is similar to my problem:
I need to configure 3 peers with different allowed ip.
Configuring **SERVER_ALLOWEDIPS_PEER_1=**192.168.1.1/32,192.168.1.2/32, and editing the peer file AllowedIPs = 192.168.1.1/32,192.168.1.2/32,192.168.1.250/32, I can't reach the IP while using peer 1 settings.

Expected Behavior

When using peer 1 settings in Wireguard, the IP of the variable SERVER_ALLOWEDIPS_PEER_1 should be reachable.

Steps To Reproduce

1. Set SERVER_ALLOWEDIPS_PEER in docker compose file
2. Delete existing Wireguard config directory, and start the docker to recreate it
3. Manually edit the peer configuration file (peer_1.conf), adding the same IP specified in the SERVER_ALLOWEDIPS_PEER_1 variable
4. Adding the new configuration, using the smartphone app and the QR code
5. Starting the tunnel the IP of the variable SERVER_ALLOWEDIPS_PEER_1 are not reachable
6. Only the IP specified in the ALLOWEDIPS are reachable

Environment

- OS:Debian 11
- How docker service was installed: APT repository

CPU architecture

x86-64

Docker creation

DOCKER COMPOSE:
 
wireguard:
    container_name: WG
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - SERVERURL=MyPublicIP                                                        
      - PEERS=2       
      - PEERDNS=192.168.1.250                          
      - INTERNAL_SUBNET=192.168.2.0/24
      - ALLOWEDIPS=192.168.1.250/32
      - SERVER_ALLOWEDIPS_PEER_1=192.168.1.50/32,192.168.1.51/32
      - SERVER_ALLOWEDIPS_PEER_2=192.168.1.52/32,192.168.1.53/32
    ports:
    - 51820:51820/udp
    volumes:
      - $MAINDIR/data/wg:/config
      - /usr/src:/usr/src                      
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

PEER_1.conf:

[Interface]
Address = 192.168.2.2
PrivateKey = xxxxxxxxxxxx
ListenPort = 51820
DNS = 192.168.1.250

[Peer]
PublicKey = xxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxx
Endpoint = MyPublicIP:51820
AllowedIPs = 192.168.1.50/32,192.168.1.51/32,192.168.1.250/32

WG.conf:

[Interface]
Address = 192.168.2.1
ListenPort = 51820
PrivateKey = xxxxxxxxxxxx
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_1
PublicKey = xxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxx
AllowedIPs = 192.168.2.2/32,192.168.1.50/32,192.168.1.51/32

[...]

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗ 
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 
   Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1000
User GID:    1000
───────────────────────────────────────
Uname info: Linux 96a22f522cd6 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Server mode is selected ****
**** External server address is set to MyPublicIP ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 192.168.2.0/24 ****
**** AllowedIPs for peers 192.168.1.250/32 ****
**** Peer DNS servers will be set to 192.168.1.250 ****
**** Server mode is selected ****
**** No changes to parameters. Existing configs are used. ****
[custom-init] No custom files found, skipping...
.:53
CoreDNS-1.10.1
linux/amd64, go1.20.10, 
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.2.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.168.2.3/32 dev wg0
[#] ip -4 route add 192.168.2.2/32 dev wg0
[#] ip -4 route add 192.168.1.50/32 dev wg0
[#] ip -4 route add 192.168.1.51/32 dev wg0
[#] ip -4 route add 192.168.1.52/32 dev wg0
[#] ip -4 route add 192.168.1.53/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
**** All tunnels are now active ****
[ls.io-init] done.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

I think you misunderstood how allowed ips work because you're trying to set the same ip in both the server and the peer configs as allowed.

Is 192.168.1.50 local to the server? Assuming it is because that's the dns you're setting for the peers, then you should not have the server config's allowed ips include it. If it does, server will try to send packets destined for that address through the tunnel to the peers.

This is most likely pebkac and not a bug as the confs look generated correctly based on your args. But it's the set of args you used that is the problem.

You can seek support on our discord.

Closing as it's not a bug.