As you possibly know Wireguard hasn’t something like “DisallowedIPs” parameter to exclude some networks from allowed ones. Of course technically AllowedIPs is enough, but I am tired to calculate it by hand, so created this simple calculator:
Update: I am using small Golang HTTP-server to quickly calculate results and at first I tried ipaddr due to its similarity to the Python ipaddress. But it has a little problem, in my case it caused an infinite loop that led to DoS and finally to panic. Better use the brilliant netaddr developed by Brad Fitzpatrick and the Tailscale team (their blogpost with motivation)
Update 2: I realized that this is a great case to use WASM!