Home

Maybe you already figured this out but I think it’s a common gotcha:

Wireguard AllowedIPs means just that: IPs that are allowed to be routed over the tunnel.

There is nothing that says that you need to have 1-to-1 mapping between that and actual routes. Most of the time it’s what you want but there are situations where you want it different.

wg-quick additionally adds corresponding ip routes as a convenience. systemd-networkd did at some point but don’t anymore. I’m not sure what NetworkManager does there these days.

Anyway, it’s an understandable source of confusion and the tools don’t always help.

You found the right workaround.

The Arch Wiki calls this “Loop routing,” where NetworkManager attempts to route traffic to the WireGuard peer’s endpoint through the tunnel itself, creating a routing loop. This occurs because the endpoint IP gets matched by the AllowedIPs ranges, causing the kernel to send handshakes over the tunnel interface instead of the physical interface. Excluding the peer endpoint from AllowedIPs is the standard fix.

Here’s the ArchWiki link (for future readers mostly, you already got it :P): https://wiki.archlinux.org/title/WireGuard#Loop_routing