AllowedIPs for clients (QR code)

[xgusto]

When I used only wireguard (without wg-webadmin), I configured the clients as follows:

[Interface]
Address = 10.0.3.2/32
PrivateKey = 0JOGY0at***************SPrrt74CU0NBjSwAom0=

[Peer]
PublicKey = NPpRg/apyw***************irCZivtiFAKlanGFQ8=
AllowedIPs = 192.168.20.0/24,10.0.3.0/24
Endpoint = example.com:51830
PersistentKeepalive = 25

QR code generation

qrencode -t ansiutf8 < client01.conf

I use the wireguard app on my mobile phone (android). If I scanned the QR code in the app, the allowed IPs were also filled in automatically.
When I set the allowed IPs in WG-Webadmin and scan the QR code on my mobile phone, I still see the allowed IPs 0.0.0.0/0, ::/0 on my mobile phone. Then I have to fill in the IP addresses manually. I need the client not to access the Internet through wireguard, but to be terminated in LAN networks (192.168.20.0/24,10.0.3.0/24).
Here is an illustrative picture of what I have to fill in manually in app

[eduardogsilva]

Hello @xgusto I just made a few tests using the qrcode generated on wireguard_webadmin.
When scanned on wireguard app (ios) the allowed ips are properly filled.

Please make sure that you are adding the allowed ips to "Client routing configuration". As soon as you add any route, it will remove the default route.

Please make sure that you are using at least version 0.9601

Today I will also remove the requirement for primary dns server as you requested ;)

[xgusto]

Excellent work. It works exactly as you wrote.
👍

[eduardogsilva]

Glad to hear that!
The AllowedIPs with different effects based on where it's placed, can generate a bit of confusion. I've tried to be more "verbose" on the labels. Also, if you click on the information icon, it will show a message explaining the AllowedIPs thing. If you have any suggestion on how to better communicate this, let me know.

Btw, I've just released an update removing the requirement for dns primary and secondary. ;)

If no DNS server is specified, the DNS line on client config will not be included.
Please give me a feedback if the client device fallback to the DNS server received from dhcp on his LAN.

Cheers!

[xgusto]

I updated to 0.9602 confirm that I no longer need to enter DNS servers

[madox33]

Would it be possible to apply AllowedIPs lists to groups of peers? Perhaps through policies that could be applied to peer groups. Have you considered implementing such functionality?

[eduardogsilva]

Hello @madox33 , do you mean the AllowedIPs that goes on the client side right?

[madox33]

Yes, that's exactly what I mean. Right now, when you add many users and don't use the default route, you have to manually add the necessary routes for each peer, which is quite time-consuming. It would be great to have some kind of presets or route lists. Thanks!
Maybe this kind of functionality already exists and I just haven’t found it...

[eduardogsilva]

It makes sense, and it's quite simple to implement.

Do you have any naming suggestions? Need to be short.

"Client route profile" sounds a bit long

[madox33]

Just to clarify — am I right in assuming the short name is mainly intended for the left-hand navigation menu? If so, then it makes sense to keep it as short and intuitive as possible.

From your suggestions, Routing profiles and Custom routes are clear, though maybe a bit long for a menu label.
Here are a few naming ideas that might work well in that context:
Route Sets
Routing Groups
Route Templates
Peer Routes
Routes
Target networks

[SecureTux-777]

Just wanted to share an idea that might extend the current routing templates discussion:

Since there's already a "Firewall" tab in the interface – have you considered adding a more visual way to manage both firewall and routing rules? For example, a drag-and-drop UI to create client- or group-based rules.

This could make it easier for beginners to define safe, limited access (e.g. LAN-only routing), while also helping advanced users manage bulk rule assignments more efficiently.

A visual interface could simplify tasks like: “deny internet access for a whole group of users” or “allow only specific networks for a set of peers”, without having to manually repeat the same logic.

Manual rule editing would still be important for advanced use cases, but this could streamline common setups for many users.

If this idea doesn’t fit well here, feel free to let me know and I can open a separate issue.

[eduardogsilva]

Maybe some kind of firewall wizard could help to dynamically create those rules.

It's kind of easy for adding rules, but hard to "maintain" the existing ones.

I will try to figure out something that could make the firewall rules easier for beginners.