Why use Allowed IP's?

Jarhead

Hoping someone with a lot of Wireguard knowledge will be able to shed some light on this.
I've recently been doing a lot of WG tunnels with some complicated PBR thrown in. I could not get it working with specific Allowed IP's so I went with 0.0.0.0/0 and it all works.
This got me wondering why not use 0/0 on all tunnels and use firewall rules for access.
My thinking has always been the Allowed IP's are basically the same as the local/remote networks of OpenVPN. Except in OVPN those networks are what creates the routes, and in WG we still have to create routes manually.
So even with a 0/0 Allowed, nothing will go down the tunnel unless it's routed down the tunnel, In which case firewall rules can then be used for "fine tuning".
All this is obviously only applicable when using a router as VPN endpoints, I can see other use cases for the Allowed IP's, but when using pfSense, why would we ever set specific Allowed IP's if they really aren't doing anything needed? (like creating routes for example)

Bob.Dig

@Jarhead I do it like that. It might be less secure, but how much?
I wish we could get rid of the Resolver ACL too.

@Jarhead said in Why use Allowed IP's?:

why would we ever set specific Allowed IP's if they really aren't doing anything needed? (like creating routes for example)

If you have more than one other peer, you can do 0.0.0.0/0 only on one.