Error in WireGuard documentation

Just wanted to report a small error in the Wireguard set-up documentation (this post).

In the client config details (the middle one of the three white code boxes) it says

G_CONFIG_INJECT 'Address = ' 'Address =' wg0-client2.conf

but if you inject that IP address the config doesn’t work. On my set-up (which is working) I had to tweak that to:

G_CONFIG_INJECT 'Address = ' 'Address =' wg0-client2.conf

(of course replacing the .3 to whatever address you actually want to assign this particular client). I chose /32 to match the AllowedIPs entry in the lower code box and it works, but if there’s a better or more secure choice I’m happy to be corrected.

Many thanks for your report. Jep indeed it should have been Address =, I just fixed it.

I am not 100% sure about the difference /32 and /24 (network mask) do here, because the AllowedIPs entries define which IPs the peers allow/use to connect to each other. All guides I found state to use /24 for the Address entries. It identifies itself as part of the 10.9.0.[1-255] address range network, but not sure about practical differences. However as long as /32 works for you, stay with it. In case stricter is better than wider here.

No problem, you’re very welcome.

I wasn’t sure if it should have been /24 or /32, hence why I mentioned it.

Edited to add - looking in the final config files the address line is set to /24 anyway. So it looks like even if you inject /32 it gets changed at some point to /24 by the set-up procedure.

CIDR addressing and all that

/32 would be good for say router to router (so only a single IP address can be used [hard to hack in], /24 gives 254 addresses, so for the networking aspect, it can support up to 254 connections/IP’s into WireGuard remotely…a healthy “pool” of remote IP’s

It get’s confusing if you haven’t really learned studied it (it’s plays heavily in Cisco training)…it/s kinda a pain.

Generally netmask is clear to me, I am just wonder which affect is has for the Address entry. For AllowedIPs it is totally clear where it controls which requests are tunnelled through the VPN and which not, but no idea if the peer behaves any differently when you define him as part of a 255 address network or single IP network. Perhaps it somehow influences the request/connection marks, if it is marked as local or external request. Not not sure about any practical affects.