Hi, I've been playing around with WireGuard recently. Thank you for all your work on it. It all mostly works but I have one thing that I can't grasp properly: My setup are a bunch of servers that need to communicate securely over an unsecured network. Like a mesh. So I have three servers and each of them has a connection to the other two (i.e. two Peers). This all works beautifully. Now I want to add an outside client into the mix (e.g. my laptop). I want to be able to connect to just one of those hosts and have that host forward my packages to the others. I can get it to work if I pick _one_ specific jump host but I haven't managed to set it up in a way that I can connect to any of them. (I'm leaving out Private & Public Key, Ports and Endpoints to make the examples shorter. Client wg0.conf: [Interface] Address = 10.0.1.1 # Server 1 [Peer] AllowedIPs = 10.0.0.1/24 Server 1 wg0.conf: [Interface] Address = 10.0.0.1 # Client [Peer] AllowedIPs = 10.0.1.1/32 # Server 2 [Peer] AllowedIPs = 10.0.0.2, __10.0.1.1/32__ # Server 3 [Peer] AllowedIPs = 10.0.0.3, __10.0.1.1/32__ Server 2 wg0.conf: [Interface] Address = 10.0.0.2 # Client [Peer] AllowedIPs = 10.0.1.1/32 # Server 1 [Peer] AllowedIPs = 10.0.0.1, __10.0.1.1/32__ # Server 3 [Peer] AllowedIPs = 10.0.0.3, __10.0.1.1/32__ Server 3 etc. are similar. This way I can connect with my client to any of the Servers and I can ping them (e.g. ping 10.0.0.1) but I can _not_ ping the others: So when I connect to server-1 I can not reach server-2 from my client (IP forwarding etc. is enabled). This only works when I remove the second IP from AllowedIPs (the one marked with underscores) from the server I connect to (e.g. server 1). The other servers (e.g. server 2 & 3) need it though because of course they'll see traffic from 10.0.1.1 being forwarded to them so it needs to be in their AllowedIPs. That means I can get everything to work if I pick one special host that Clients connect to. I might just fundamentally misunderstand how AllowedIPs works. Any help is greatly appreciated An unrelated question: Should wg-quick up be allowed to be called with just a file name? e.g. wg-quick up wg0.conf? I understand the man page that it should but I think the behavior is broken on MacOS/Darwin because it tries to cd into the file which fails. Cheers, Lars