Wireguard cannot use same allowed-ips for multiple peers

[fzakfeld]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When using multiple peers on a wireguard instance with the same allowed IPs value (e.g. 10.123.175.240/28) only one works.

To Reproduce

Steps to reproduce the behavior:

1. Create a wireguard instance and two peers, both with the same allowed-ips value (e.g. 10.123.175.240/28).
2. Run wg show

Expected behavior

Both peers should be able to use any address in the IPv4 subnet 10.123.175.240/28.

Describe alternatives you considered

Use more explicit /32 or /128 values, which might not always be an option.

Relevant log files

root@mgmtfwcl01-1:~ # wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 34620

peer: xxx
  endpoint: xxx:51820
  allowed ips: (none)
  latest handshake: Now
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 25 seconds

peer: xxx
  endpoint: xxx:51820
  allowed ips: 10.123.175.240/28
  latest handshake: Now
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 25 seconds

Additional context

XML config seems fine (same as the web UI)

Environment

OPNsense 24.1.7_4-amd64 FreeBSD 13.2-RELEASE-p11 OpenSSL 3.0.13

[spin-lock]

AFAIK its always been that case. WG uses Allowed IPs for 'route' selection. Can't have two peers with same/overlapped IP range, just like with routing.

[fzakfeld]

If that's the case, maybe we can add some sort of validation in the UI? Not sure how straight forward that would be