Wireguard – exclude a single IP address

Wireguard – exclude a single IP address

By AllowedIPs in the wireguard configuration file, you mean which IPs should be routed through the wireguard tunnel. So if you want to exclude a single IP address from these allowed IP addresses, all IP networks must be enabled except for that single IP(s)

The easiest way to do this is with a Pyhton script:

from ipaddress import ip_network

start = '0.0.0.0/0'
exclude = ['IP1REFREE', 'IP2REFREE']

result = [ip_network(start)]
for x in exclude:
    n = ip_network(x)
    new = []
    for y in result:
        if y.overlaps(n):
            new.extend(y.address_exclude(n))
        else:
            new.append(y)
    result = new

print(','.join(str(x) for x in sorted(result)))

Save this script as a +.py file and then you can run it, for example, like this (on Linux):

python3 subnets.py

You can then enter the result after “AllowedIPs =”.

3 Antworten zu “Wireguard – exclude a single IP address”

  1. Hi there. Thanks for this script. I really struggled to figure out what to put in the allow IPs to exclude just couple of IPs. Really appreciate what you’ve done here. Have a good one!

Leave a Reply

Your email address will not be published. Required fields are marked *